S-Series Administration Guide Version 4.8

Transcription

1 S-Series Administration Guide Version 4.8 vsec:cms versasec.com 1(338)

2 All information herein is either public information or is the property of and owned solely by Versasec who shall have and keep the sole right to file patent applications or any other kind of intellectual property protection in connection with such information. Nothing herein shall be construed as implying or granting to you any rights, by license, grant or otherwise, under any intellectual and/or industrial property rights of or concerning any of Versasec information. This document can be used for informational, non-commercial, internal and personal use only provided that the copyright notice below, the confidentiality and proprietary legend and this full warning notice appear in all copies. This document shall not be posted on any network or broadcast in any media and no modification of any part of this document shall be made. Use for any other purpose is expressly prohibited and may result in severe civil and criminal liabilities. The information contained in this document is provided AS IS without any warranty of any kind. Unless otherwise expressly agreed in writing, Versasec makes no warranty as to the value or accuracy of information contained herein. The document could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Furthermore, Versasec reserves the right to make any change or improvement in the specifications data, information, and the like described herein, at any time. Versasec hereby disclaims all warranties and conditions with regard to the information contained herein, including all implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Versasec be liable, whether in contract, tort or otherwise, for any indirect, special or consequential damages or any damages whatsoever including but not limited to damages resulting from loss of use, data, profits, revenues, or customers, arising out of or in connection with the use or performance of information contained in this document. Versasec does not and shall not warrant that this product will be resistant to all possible attacks and shall not incur, and disclaims, any liability in this respect. Even if each product is compliant with current security standards in force on the date of their design, security mechanisms' resistance necessarily evolves according to the state of the art in security and notably under the emergence of new attacks. Under no circumstances, shall Versasec be held liable for any third party actions and in particular in case of any successful attack against systems or equipment incorporating Versasec products. Versasec disclaims any liability with respect to security for direct, indirect, incidental or consequential damages that result from any use of its products. It is further stressed that independent testing and verification by the person using the product is particularly encouraged, especially in any application in which defective, incorrect or insecure functioning could result in damage to persons or property, denial of service or loss of privacy Versasec AB - Versasec, the Versasec logo, vsec:cms, vsec:id and vsec:mail are trademarks and service marks of Versasec AB and are registered in certain countries. All other trademarks and service marks, whether registered or not in specific countries, are the property of their respective owners. Document ID: vsec:cms versasec.com 2(338)

3 Table of Contents Administration Guide... 6 Overview... 6 Architecture... 7 Components... 7 Hardware Requirements Software Requirements Supported Smart Cards PKI Support Who Should Read This Book Contact Versasec Administrator Manual Definitions Installation Uninstall the S-Series Menu Options Home Lifecycle Actions Repository...17 Templates Options How-to Configure Card Templates Settings Smart Cards Security Connections Variables Operators PIV Device Management Roles Repository Views PIN Policy BIO Policy Repository Customize Repository Tables vsec:cms versasec.com 3(338)

4 SQL Database Support Configure Photo Capture Use Smart Card Printer Operator Service Key Store Multiple Roles Multiple PINs Manage ID Types Plugins Key Archival and Key Recovery Encode RFID Smart Card Temporary Card Template Configure Root and Sub CA Import Configure PKCS#12 Certificate Database Configure S-Series Service for Windows User Account Miscellaneous Settings Perform Tasks Action Flows Smart Card Token Lifecycle Upgrade Licenses Generate New Master Key Diagnostic Support Upgrade S-Series Migrate T-Series to S-Series Batch Preview Print Flow PKCS12 File as Certificate Connection Manage Virtual Smart Cards Batch Issuance S-Series Failover Setup Migrate S-Series Setup S-Series as Remote Application Restore S-Series Create S-Series Operator Cards Issue S-Series Operator Card(s) User Self-Service Using Operator Console Service Manage Computer and Application Certificates Customize Subject in Certificate Request Configure HSM Support Using Elliptic Curve Cryptography vsec:cms versasec.com 4(338)

5 Smart Card Stock Management Configure Alt-Security-Identities Management Configure Validation Steps before Issuance Configure Pre-Issuance Configure Extended Permission Checks Configure USS Dialog Messages Configure Change PIN Configure Windows Group Permissions Credential Provider Best Practice Recommendations Glossary/Abbreviations vsec:cms versasec.com 5(338)

6 Administration Guide Overview The vsec:cms S-Series application, referred to as the S-Series throughout this document, is an innovative, easily integrated and cost effective Smart Card Management System (SCMS or CMS) that will help you deploy and manage smart cards within your organization. The S-Series is a standalone application that is installed on a server and is typically accessed through HTTP(S) or Windows Terminal Services. The S-Series is best suited for larger deployments where several operators are interacting with the smart card management system in parallel. vsec:cms versasec.com 6(338)

7 Architecture S-Series is a version of the vsec:cms product suite where S stands for Server. Components The application is separated into four main components: A MS Windows service, named vsec:cms Service (1) in the architecture drawing above, which manages the S-Series database in addition to operator account management for those operators who have access to the S-Series. This service runs as a MS Windows service and will be installed by default to run under the MS Windows SYSTEM account. A MS Windows service, named vsec:cms SOAP Service (11) in the architecture drawing above, which communicates with the vsec:cms Service and is the SOAP service for the vsec:cms Operator Console (2) and the vsec:cms User Self-Service Console (12). The vsec:cms Operator Console (2), which is run by each operator in the user s context. The vsec:cms User Self-Service Console (12) which is run on an end user s workstation from where smart card users can perform self-service smart card operations with conventional smart cards (8) or virtual smart cards (14). The SOAP HTTPS channel between the vsec:cms SOAP Service and the vsec:cms Operator Console and vsec:cms User Self-Service Console is secured using AES128 encryption. The vsec:cms Operator Console and vsec:cms User Self-Service Console construct SOAP- XML requests using Windows Web Services API (WWSAPI). The SOAP requests are sent using HTTP/HTTPS to the vsec:cms SOAP Service. The vsec:cms SOAP Service is a.net WWSAPI service running as a Windows service. The vsec:cms SOAP Service performs the following flow: Sends the SOAP request as received from the vsec:cms Operator Console and the vsec:cms User Self-Service Console to the vsec:cms Windows service through encrypted shared memory; vsec:cms versasec.com 7(338)

8 Receives back the response from the vsec:cms Windows service through encrypted shared memory; Constructs the XML response; Returns the XML SOAP response to the vsec:cms Operator Console and the vsec:cms User Self-Service Console. The vsec:cms Operator Console and the vsec:cms User Self-Service Console applications then parse the XML using WWSAPI. vsec:cms Service (1) The vsec:cms Service is managing the Database (4), which is stored in the [DAT] folder which sits beside the service executable (CmsService.exe). By default, this folder has access permissions set for MS Windows SYSTEM user and the Windows user who installed the application. Optionally the Database (4) can be hosted in an SQL database. By default the security keys used by vsec:cms are stored on the Operator Cards (7). These keys can optionally be stored in HSM (13) if required. The Enrollment Agent (EA) certificate key(s) can be stored on the Operator Cards (7) or optionally on an HSM (13). The EA is required when issuing card holders certificates on behalf of a user. The Database (4) contains several tables. These tables contain information about the smart cards managed and configuration settings used for the S-Series. The database is encrypted with keys stored on the Operator Card(s) (7), therefore the database can only be accessed when an operator card is available. If the application is configured for backup, the vsec:cms Service encrypts the database and stores the backup file in the configured location. If configured, the vsec:cms Service will send status information to the MS Windows Event System (5). vsec:cms SOAP Service (11) The vsec:cms SOAP Service (11) communicates with the vsec:cms Service (1) over encrypted shared memory. The vsec:cms SOAP Service (11) is the SOAP service for the vsec:cms Operator Console (2) and the vsec:cms User Self-Service Console (12) providing the communication channel for these components. This channel is over HTTP(S). The vsec:cms SOAP Service (11) has three separate Windows services named vsec:cms - Operator Console Service for vsec:cms Operator Console (2), vsec:cms - User Self Service for vsec:cms User Self-Service Console (12) and the vsec:cms RSDM service. These services manage the communication between the different components. vsec:cms Operator Console (2) vsec:cms Operator Console (2) is started for each operator in the user s user context. It provides the application interface to the operator. The operator needs to logon to the application using a valid operator smart card (7), thereby providing two-factor authentication. The operator card(s) also contain several security keys, which are only accessible with a valid PIN. The vsec:cms Operator Console (2) accesses the database through the vsec:cms SOAP Service (11). Managing User Smart Cards (8), the vsec:cms Operator Console (2) needs to communicate with Directory Servers (9) and Certification Authorities (CA) (10). For connecting to the Directory Servers (9) the LDAP(S) protocol is used. This depends on what is configured in the environment but the default ports typically used are 389 or port 636. For connection with the Certification vsec:cms versasec.com 8(338)

9 Authorities (CA) (10) the DCOM/RPC protocol is used. The default port for DCOM/RPC is typically 135. All communication between the vsec:cms Operator Console (2) and the smart card is done through the smart card minidriver. Certificate key(s) are generated on the smart card and the certificate request is sent to the CA using Microsoft ICertRequest API. vsec:cms User Self-Service Console (12) The vsec:cms User Self-Service Console is started for each user on their workstation. It provides the UI to the user to perform user self-service operations on their smart card (8). All communication is performed through the vsec:cms SOAP Service (11). The protocol used is HTTP(S). The connection and the port is configurable through the vsec:cms Operator Console (2). vsec:cms RSDM The vsec:cms RSDM is a Windows service which is installed on each client machine that a smart card (either virtual or physical) is to be issued on and managed by the S-Series. The vsec:cms RSDM service running on the client machines will send a registration request to the RSDM service running on the server side (the vsec:cms SOAP Service (11)) when the RSDM service starts. Communication is performed through the vsec:cms SOAP Service (11) when registration is performed. The protocol used in this case is HTTP(S). Additionally, the RSDM service can be configured to receive push notifications from the server side. The push notifications will be sent from the server side to the client using User Datagram Protocol (UDP) broadcasting. These push notifications are sent from the server side to notify the client that an event is waiting for it on the server that the client needs to process. Ports and Protocols The table below outlines the ports and protocols used by the S-Series based on the architecture diagram above. It is assumed that there is no firewall between vsec:cms Service and any external component that the service communicates with. This section is a guideline only, specifically describing the ports as the ports are configurable depending on your environment setup. Application vsec:cms Operator Console vsec:cms Operator Console vsec:cms Operator Console Rule Type Inbound (from 2 to 10) Inbound (from 2 to 9) Inbound (from 2 to 11) Source System External user External user External user Destination System MS CA Service L7 Protocol/Service DCOM/RPC Comments The port used here depends on what is configured in the environment. Directory LDAP(S) The port used here depends on what is configured in the environment. vsec:cms SOAP Service HTTP(S) The port used here depends on what is configured in the environment. Default Port 135 TCP 389 or or 443 L4 Protocol TCP TCP vsec:cms versasec.com 9(338)

10 vsec:cms User Self- Service Console Inbound (from 12 to 11) External user vsec:cms SOAP Service HTTP(S) The port used here depends on what is configured in the environment. 80 or 443 TCP vsec:cms RSDM Service Inbound (from 12 to 11) External user vsec:cms SOAP Service HTTP(S) The port used here depends on what is configured in the environment. 80 or 443 TCP vsec:cms RSDM Service (optional) Outbound (from 1 to 11) CMS service RSDM service on the client Proprietary The port used here depends on what is configured in the environment. Configurable on the client UDP vsec:cms Service From to 1 to 10 CMS service MS Service CA DCOM/RPC The port used here depends on what is configured in the environment. 135 TCP vsec:cms Service From to 1 to 9 CMS service Directory LDAP(S) The port used here depends on what is configured in the environment. 389 or 636 TCP vsec:cms Service From to 1 to 13 CMS service HSM Proprietary for HSM The port used here depends on what is configured in the environment. Depends on HSM TCP vsec:cms Service From to 1 to 4 CMS service Database ODBC This would only be required if MS SQL is used for the database TCP The port used here depends on what is configured in the environment. Hardware Requirements The S-Series can be installed on following server platforms: Note: Virtual servers are supported. Microsoft Windows 2008 Server; Microsoft Windows 2008 R2 Server; Microsoft Windows 2012 Server; vsec:cms versasec.com 10(338)

11 Microsoft Windows 2012 R2 Server. The server minimum hardware requirement: At minimum 2 Processor with 2 GHz or faster; Memory 2 GB RAM or greater; Available disk space on server of 40 GB or greater for the operating system plus 2GB or greater for the S-Series database. For optimal performance though the following hardware requirements are recommended: Server recommended hardware requirement where the S-Series is installed: At minimum 2 Intel Xeon processors with 2 GHz or faster; Memory 8 GB or greater; Available disk space on server of 40 GB or greater for the operating system plus 2GB or greater for the S-Series database; Gigabit-LAN (1.000 Mbit/s). Client recommended hardware requirements for any workstation that S-Series operator console is installed on: At minimum 2 Intel i7 processors with 3.6 GHz or faster; Memory 8 GB or greater; Gigabit-LAN (1.000 Mbit/s). Software Requirements The Gemalto IDGo 800 minidriver needs to be installed on the server where the S-Series is installed. Additionally the minidriver of the smart card that is to be managed by the S-Series should be installed on the server. Additionally the server where the S-Series is installed should have Microsoft.NET Framework 2.0 and 4.0 installed. Supported Smart Cards Using the S-Series it is possible to manage the following smart cards: Gemalto IDPrime.NET 510 Gemalto IDPrime.NET 5500 Gemalto IDPrime MD 3810 Gemalto IDPrime MD 830 Gemalto IDPrime MD 840/3840 Gemalto IDPrime PIV Card v2.0 Gemalto IDBridge K3000 Gemalto/Safenet etoken 5100, 5105, 5110 ACS ACOS5-64 ACS CryptoMate64 Avtor CryptoCard337 Athena IDProtect Smart Card Athena IDProtect Key USB Token Athena IDProtect Key Nano USB Athena CNS Morpho ypsid S2 Morpho ypsid S3 Oberthur Authentic Oberthur IAS ECC Oberthur ID-One PIV card vsec:cms versasec.com 11(338)

12 HID C200 HID C1150 Raak Technologies C2 Feitian epass2003 Token Taglio C2 Taglio PIVKey Yubico YubiKey PIV Atos CardOS 5.3 Atos CardOS 4.4 Cryptovision cards supporting epki Applet v2.8 Mifare DESFIRE EV1 Virtual Smart Cards vsec:cms VSC Microsoft VSC Charismathics VSC Microsoft minidriver enabled smart cards Note: Currently vsec:cms VSC is supported with TPM 1.2 only. PKI Support The S-Series can be used with the following PKI certificate authorities. Microsoft Certificate Authority from 2008 R2 and above; EJBCA Community and Enterprise; Entrust version 8.1; Symantec version 8.15; Nexus Certificate Manager version 7.9; UniCERT version 5.3.8; GlobalSign; IDnomic (formely known as OpenTrust) PKI version Important: Depending on which CA you use it may be that not all specific workflows and processes are covered therefore please contact Versasec at for specific information on your CA specific workflows to ensure that they are covered by the S-Series. Important: If you plan to use the User Self-Service feature of the S-Series for certificate issuance and certificate renewal currently this is limited to Microsoft CA. vsec:cms versasec.com 12(338)

13 Who Should Read This Book This manual is aimed for System Administrators (operators) who will use, configure and manage the S-Series. Contact Versasec If you do not find the information you need in this manual, or if you find errors, please contact Versasec s expert security team at info@versasec.com. vsec:cms versasec.com 13(338)

14 Administrator Manual Definitions For clarification for readers of this guide, the following definitions are provided: S-Series: the vsec:cms S-Series. T-Series: the vsec:cms T-Series. This is the version of the vsec:cms that is installed on a secure USB token. For further details on the T-Series please consult the product documentation that describes this version in detail. Demo version: this refers to the vsec:cms application when it is installed and runs as a simulated software operator token. The demo version is a free to use, 5 user license software version that should be used for evaluation purposes only. Operator token: the physical smart card token that the operator uses to access the S-Series application. The Operator token will be installed with the vsec:cms operator application (applet). User(s): (also referred to as end user) any person who uses a smart card provisioned by the S- Series, typically an end user is an employee in an organization that uses a smart card. Operator: any person who is in possession, and has knowledge of the passcode, of an Operator token and can therefore perform operations with the S-Series. There are four types of operator tokens: 1. The System Owner one required per system. Used for administrative purposes, but not recommended for normal operator use. Comes in the form of a Gemalto IDPrime.NET smart card and does not consume a license count. This is the smart card token that is typically created by the smart card vendor distributor and shipped to the end customer. It will be necessary to use this token to initialize the S-Series on first use. Once the system has been initialized and setup it is recommended that the System Owner smart card is stored away in a safe 2. The Full Featured Operator can be used for operator access to the system. Comes in the form of a Gemalto IDPrime.NET smart card and consumes one (1) license count per operator token. 3. OSKS (Operator Service Key Store) an encrypted SW or a HSM based server operator only available for operator service use. Each OSKS consumes one (1) license count. 4. The Authentication Only Operator requires the operator service use. Any S-Series supported minidriver enabled user smart card can be used and consumes one (1) license count per operator card. The operator s will have different roles, each of which has different levels in regards to what operations they can perform. The default roles are defined as: System Administrator: an operator that can perform all operations in the S-Series. Elevated: an operator that can perform license upgrade and configuration changes. Normal: an operator that can perform processes workflows. Restricted: an operator that can perform smart card unblock workflows. Key recovery: an operator that can perform key recovery workflows. Installation In order to install the S-Series application double click the installer executable to start the installation. Note: The installer should be provided to you by your provider. Once the installer starts follow the steps below to complete the installation: vsec:cms versasec.com 14(338)

15 Click I Agree to accept the license agreement. Select the installation type. In this case select the S-Series Server option. Accept or select a destination folder and click Install button to begin the installation. When the installation is complete click Close button to end. A shortcut icon will appear on the desktop. It will be necessary to attach the System Owner operator card as received from your provider when starting the S-Series. Follow the instructions below to initialize the system on first use. Alternatively, if it is required to do a silent install from a command prompt run the installer as: > vsec_cms_sx.x.exe /S Where X.X is the particular version of the S-Series that you are running. Uninstall the S-Series In order to uninstall the S-Series application, from Start Control Panel select Uninstall a program under Programs. Select the vsec:cms and click Uninstall/Change to begin the uninstall. Important: When the S-Series is uninstalled the database will be deleted. This will result in smart cards that are managed by the S-Series becoming unmanageable. If the S- Series is configured to copy the backup database to a secure, backed up location then the database can be restored in the future from this file. Important: After running the uninstaller make sure that all files and folders are deleted from the system after the uninstall. It is recommended to delete the entire Versasec folder from Program Files. For example, if the installation was installed into the default location on a Windows 2008 R2 server then delete the entire folder structure in C:\Program Files (x86)\versasec\vsec_cms S-Series. vsec:cms versasec.com 15(338)

16 Menu Options This section will provide a description of the menu options available from the S-Series application. Home The Home screen is displayed when an operator logs onto the S-Series. From the Home screen information on the license, the number of smart cards managed by the S-Series, the expiration of the enrollment agent certificate, operator token and supported smart cards is presented.. Also, from the status bar it is possible to see how many operators are logged into the S-Series from the bottom left hand side and whether an enrollment agent certificate is installed and is valid for the particular operator that is logged on from the bottom right hand side. License information: Information regarding who the license was issued to as well as the maximum amount of user cards that can be managed with the S-Series is displayed. The screen also shows how many user cards have already been issued/registered and how many more cards can be issued/registered. Additionally, if a connection to a CA is configured that has an enrollment agent certificate the expiration date for this certificate is displayed here. Operator Token Information: Information about the version of the S-Series is provided here along with details on capacity used on the smart. More details can be viewed by clicking the More information about your Operator Token link which will display specific details about the hardware token. Supported Smart Cards: Details about the supported smart cards are listed in this section. Lifecycle The management of smart card tokens throughout its lifecycle will be performed from this page. Operators can easily view the current lifecycle state of the token from the state diagram and manage the entire lifecycle of the token from this page. Actions The actions section provides several functional options for smart card tokens which are managed by the S-Series. Smart Card Unblock A registered user smart card with the S-Series application can be unblocked either online or offline. An online unblock means that the user smart card needs to be physically attached to the same system that the S-Series application is running on. An offline unblock means that the user smart card is not physically attached to the same system that the S-Series application is running on and therefore an unblock challenge needs to be provided to the operator to perform the unblock operation. Temporary Smart Card A temporary card template can be used to issue a smart card token from this page. PIN Policy A registered user smart card with the S-Series application can have a PIN policy set to the user smart card. vsec:cms versasec.com 16(338)

17 BIO Policy A registered user smart card with the S-Series application can have a BIO policy set to the user smart card. The smart card needs to have the BIO application (applet) already installed on the smart card in order to be able to use this feature. Certificates/Keys A registered user smart card can have a digital certificate viewed, removed, deleted, imported or set as the default certificate on the smart card. It is also possible to issue certificates to the user smart card if connected to a CA. Request Certificates From this page it is possible to add, delete, view and save a certificate that can be managed by the S-Series. Additionally a certificate request of type PKCS#10 can be sent to the CA. The request will be sent through the template selected from the drop down list. Print Smart Card A registered smart card can be printed with a design layout as configured as a template. Update Smart Card A registered user smart card with the S-Series application can have its administration key updated. Virtual Smart Card It is possible to create a Virtual Smart Card (VSC) from this page. This would typically be for testing purposes only. For more details on using VSC in the S-Series application see the section Manage Virtual Smart Cards below. Smart Card Information The Smart Card Information provides advanced technical information about the attached user smart card. Consult the manufacturer s technical documentation for full details on the smart card. Repository The S-Series application maintains detailed repositories for operations performed. This section will describe the different repository views. Transaction Log All transactions carried out with the S-Series application can be viewed from this repository. Smart Cards The Smart Cards repository view displays the end user smart card(s) registered with the S- Series. Archived Keys The Archived Keys repository view displays the archived keys created by the S-Series. Master Keys The Master Keys repository view shows the master key(s) used by the S-Series application. vsec:cms versasec.com 17(338)

18 Smart Card Transfer From this page it is possible to import registered user smart cards from other card management systems. Batch Processes All batch jobs carried out with the S-Series application can be viewed from this repository view. Reports From the Reports page it is possible to create and generate advanced reports. Certificates From the Certificates page it is possible to view, revoke and delete certificates that are managed by the S-Series. System Logs The System Logs page displays system specific events for the S-Series. The events that are captured here are service stop and start events, operator events such as login events and failed operator login events. Managed Devices From the Managed Devices page it is possible to manage devices that have virtual smart cards that are managed by the S-Series. Device Management Logs From the Device Management Logs page information about managed devices is displayed. vsec:cms versasec.com 18(338)

19 Templates From the Templates it is possible to configure the smart card templates and PIN policies that can be set on the user smart card during the issuance stage. Card Templates From this page it is possible to configure smart card templates that can be set on the user smart during the issuance stage. Certificate Management Templates From this page it is possible to configure the certificate template(s) for certificates that are to be managed by the S-Series. PIN Policies From this page it is possible to configure PIN policy templates that can be set on the user smart during the issuance stage or from the Actions-PIN Policy page. BIO Policies From this page it is possible to configure BIO policy templates that can be set on the user smart during the issuance stage or from the Actions-BIO Policy page. Card Layouts From this page it is possible to configure smart card printing layouts that can be printed on the smart card. Options From the Options it is possible to configure several specific configurations for the S-Series application which will be described in this section. License From the License it is possible to upgrade the S-Series license. Settings From the Settings it is possible to change settings for backup and the method in which the S- Series application accesses the smart card during the lifecycle management of the smart card. Security From the Security it is possible to set specific security settings for the S-Series application. Smart Cards From this dialog, it is possible to add, delete or edit what the supported smart cards administration key default value should be. PIV From this page the card object signing for PIV cards are configured. Device Management From this page it is possible to configure settings for devices which have virtual smart cards that are managed by the S-Series. vsec:cms versasec.com 19(338)

20 Master Key From the Master Key it is possible to generate a new master key that will be used by the S- Series application to generate the diversified keys used during the user smart card registration process. Virtual Smart Card From Virtual Smart Card it is possible to enable the support for the management of virtual smart cards in the S-Series application. Connections From the Connections it is possible to setup and configure the various connectors that are available with the S-Series. Variables From the Variables it is possible to configure the system variables and create new variables that can be used to extract information from the S-Series. Operators From the Operators it is possible to configure the different operators of the S-Series application. Roles From the Roles it is possible to configure the role permissions that an operator of the S-Series application can have. Repository From the Repository it is possible to configure a schedule when smart card data can be extracted from the S-Series. vsec:cms versasec.com 20(338)

21 How-to The How-to section is divided into Configure and Perform Tasks sections in order to distinguish between configuration and user smart card management task options available in the S-Series. Configure In this section the configuration options available to the S-Series will be described allowing administrator s to understand and set configurations that meet the specific requirements for an organization s smart card token management. The main configuration tasks will be performed from the Options menu item. Below each configuration page will be described. vsec:cms versasec.com 21(338)

22 Card Templates From the Card Templates, it is possible to configure specific user smart card templates that can be set to the user smart card during the issuance/management process. It is possible to Add, Delete, Edit or View card templates. All of the configuration options available from the Card Templates will be described in this section. Create Card Template In order to add a new card template that will be used to issue an end user smart card token from the Templates Card Templates page click the Add button. The card templates are divided into different sections depending on what configuration is to be set on the card. This section will describe each configuration section that can be configured. General Settings The first step is to create the template by clicking the Edit link beside General as indicated in the red arrow in the image below. From this dialog a number of options are available. General Options vsec:cms versasec.com 22(338)

23 From this section enter an appropriate Name for the user smart card template and select the Card type. If a user smart card that is to be managed by this template is attached, click the Detect button to allow the S-Series to determine what card type the user smart card is. Add a descriptive comment for the template, if required. Features From this section enable Offline unblock feature if it is required to allow the user smart card PIN to be unblocked offline. Enable Online unblock feature if it is required to allow the user smart card PIN to be unblocked online. Note: If Online unblock is disabled it will only be possible to initiate (set a PIN on the smart card) the users smart card PIN by offline unblock or by automatically setting a PIN on the smart card during the issuance process. Enable the Self-service using following template and select the self-service template that will be used. Click the Manage button to configure self-service templates. For the vsec:cms Operator Card option it will be possible to configure operator settings for the template if the template is to be used for issuing operator cards. Note: It will be necessary to be logged into the S-Series with an operator card that has System Administrator role to configure this feature. There are two supported methods for configuring operators: Option 1: It will be necessary to have a smart card with the S-Series operator applet installed on the smart card to use this option. It will be necessary to attach such a card to the host and click the Detect button in order for the S-Series to detect that the card is such an operator card. This will then provide the option Full Featured Operator Card from the drop down list. If this option is enabled it will only be possible to issue smart cards that have the S-Series operator applet issued to them for this particular card template. Option 2: Any minidriver enabled card can be used as an operator card. This means that it will not be necessary to have the S-Series operator applet installed on the card. Select the option Authentication Only Operator Card from the drop down list to use this feature. It will be necessary to have operator key store feature configured to use such a card once it is issued. Click the Roles button if the vsec:cms Operator Card checkbox is enabled. vsec:cms versasec.com 23(338)

24 From this dialog it is possible to configure how the operator can select the role(s) that will be applied to the issued operator card during the issuance. If the issuing operator is to be allowed to manually select the role that is to be applied during issuance then select the option Select Operator Role manually during issuance. If it is required to automatically set the role during the issuance then select the option Automatically set selected role(s) during issuance and select the available roles from the list available that are to be set. Enable This template is depending on and select the template in the available drop down list that the template will be link to for temporary card templates. Click the Configure button to configure the setting for the linked template. See the section below for further details. Enable Supports multiple role(s) feature to allow support for users who may have multiple roles. Enable Supports multiple PIN s feature to allow the management of smart cards that support multiple PIN's. Enable plugin(s) feature to enable the use of plugins in the template and click the Plugins button to configure the plugin(s). Permissions From the Permissions section it is possible to configure the operator roles who will be allowed to configure this template. Enable the Access rights per individual lifecycle tasks option to allow the configuration of permission checks per each lifecycle task. Otherwise it is possible to configure global settings for the permission checks per individual card template. Click the Edit button to select the operator role(s) who are allowed to use and configure this template. Enable the Check user validity option to set a global check when performing all post issuance lifecycle tasks to ensure that the user is still a valid user in the user directory. Enable the Validate permission option to configure and select the template that can be used if it is required to perform some validation steps before a smart card token is issued to a user. See the section below for further details on this. vsec:cms versasec.com 24(338)

25 Enable the Check external permission option to configure and select the template that can be used if it is required to use AD group permissions to control what operators can manage specific user groups. See the section below for further details on this. Issue Card The next step is to configure the card issuance settings by clicking the Edit link beside Issue Card as indicated in the red arrow in the image below. Several configuration options are available from this dialog. General Options Enable the Clean card before issuance if it is required to remove any certificates that may exist on the smart card before issuing the smart card. Enable the Automatically initiate cards after issuance if it is required to automatically initiate the smart card after the issuance process has completed. It will be necessary to configure the S- Series to automatically set the PIN from the initiate card template if this option is enabled. Enable Only issue cards from smart card stock if it is required to only allow smart card tokens which are part of card stock to be used. See the section below for more details on using this feature. Note: If the self-service feature is enabled to be used for a template then further options will be available. Refer to the self-service section below for details on this. User ID Options Enable the Assign user ID checkbox if it is required to set an identifier to the user smart card during the issuance process and select the ID type from the drop down selection box. Click the vsec:cms versasec.com 25(338)

26 Manage button to configure the ID types. Click the Role(s) button, if available, to configure users who have multiple roles. The Role(s) button will only be available if this feature is enabled from the General Settings described above. Enable Capture photo check box if it is required to capture a photo of the user during the issuance process. Click the Configure button and for Photo Capture select either Capture always if it is required to always capture a photo of a user during the issuance process or Capture only if no photo is available if it is required to only capture a photo of user if none exists already. Select the variable that the picture should be assigned to from the To variable drop down list. Enable the Save photo if it is required to save the picture to the local database of the S-Series during the issuance process. Enable the Update card status change to PAMS checkbox if a PAMS connection is configured and select the PAMS connector from the drop down selection box. Primary Card PIN Options Enable the Apply PIN Policy to set PIN policy that will be set during the issuance process and select the policy template from the drop down selection box. Click the Manage button to configure the PIN policy templates. BIO Options Enable the Apply BIO Policy to set BIO policy that will be set during the issuance process and select the policy template from the drop down selection box. Click the Manage button to configure the BIO policy template. Enroll Certificate Options Enable the Enroll Certificate(s) option if the S-Series is configured to connect to a CA and it is required to issue certificates to the user smart card during the issuance process. Click the Default button to set the selected certificate template as the default certificate during the issuance process. An asterisk will appear beside the certificate that is set as default. Click the Add button to add certificate templates that will be used during the certificate issuance written to the smart card. Click the Delete button to remove a CA template and click the Edit button to edit the selected CA template. Enable the Import Root/SubCA certificate(s) to smart card (see section below for further instructions on this) if it is required to write the root and the sub CA certificates to the user smart card during the issuance. vsec:cms versasec.com 26(338)

27 When the Add button is clicked the dialog below is shown. Note: If multiple role(s) is configured then the options for key archival / key recovery will not be available from the dialog below. Select the required certificate template and click Ok to add. Note: If multiple PINs are enabled then further options will be available from this dialog. See the section below which describe configuring multiple PINs support. Note: If multiple Role(s) are enabled then further options will be available from this dialog. See the section below which describe configuring multiple Role(s) support. Printing Options Enable the Print smart card check box and select the card layout template that is to be used. Click the Manage button to configure the card layout template that is to be used. Enable the Preview before printing if it is required to preview the card print job before actually printing on the card. See the section below for detailed description on how a printer can be added and used by the S-Series. Contactless vsec:cms versasec.com 27(338)

28 Enable the Encode RFID check box and select the RFID template that is to be used. Click the Manage button to configure the RIFD template that is to be used. See the section below for detailed description on how a RFID template can be added and used by the S-Series. Data Export Click the Configure button to configure what data export operation(s) that can be performed as part of the issue process. Select an already configured data export template from the drop down list and click Add button to add the data export operation to the card template. General Card Properties The Block PIN(s) check box is enabled and cannot be disabled as after all successful smart card issuances the user smart card will be blocked. Enable the Make card read only to configure the S-Series to set the user smart as read only, thereby not allowing writes to the user smart card. Enable the Cert enrollment/renewal enabled for user to allow the user of the smart card to enroll or renew a certificate. Enable the User can import certificate(s) to allow the user of the smart card to import a certificate to the smart card. Permissions If the Access rights per individual lifecycle tasks option is enabled in the General settings for the template then from the Permissions section it is possible to configure the operator roles who will be allowed to perform this particular lifecycle process. Click the Edit button to configure the operator role(s) that is allowed to perform this particular lifecycle process. Revoke Card The next step is to configure the card revoke settings by clicking the Edit link for Revoke Card as indicated in the red arrow in the image below. From the Revoke Card dialog the following options are available. Important: If a MS CA is used, any Operator who is attempting to revoke a managed user s smart card that contains certificate(s) using the S-Series console will need to have Issue and Manage Certificates permission on the CA to perform this operation. That means the Windows account that the Operator logged on with will need to have these permissions enabled on the CA. For example, if the Operator is using the Windows account Bob A. Smith as in example below this user will need to have the permission set as below. vsec:cms versasec.com 28(338)

29 Otherwise the certificate revocation will be put in a queue on the S-Series and will only be revoked when an Operator who does have these permissions logs on and revokes the certificate(s). Options For Revoke Card By default the Revoke certificates at CA is permanently enabled meaning that the S-Series will always attempt to revoke the certificate(s) on the CA when performing a revocation. It is not possible to disable this setting. Enable the Force certificate revocation at CA (Fail to revoke smart card if CA is not reachable) if it is required to force revocation at CA, i.e., if the CA is unreachable the user smart card certificate will not be revoked and the process will be aborted. If this option is not enabled then the revocation request will be cached by the S-Series, if the CA is unreachable at the time that the user smart card is being revoked. The Disable smart card in PAMS will disable the user smart card in the PAMS system if one is configured and Delete smart card in PAMS will delete the user smart card from the PAMS system if one is configured. Permissions If the Access rights per individual lifecycle tasks option is enabled in the General settings for the template, then the following options are available. From the Permissions section, it is possible to configure the operator roles who will be allowed to perform this particular lifecycle process. Click the Edit button to configure the operator role(s) that is allowed to perform this particular lifecycle process. vsec:cms versasec.com 29(338)

30 Enable the Check user validity option which will result in a check being performed to ensure that the user is a valid user in the user directory. Enable the Validate Permission option to configure and select the template that can be used if it is required to perform some validation steps before a smart card token is issued to a user. See the section below for further details on this. Retire Card The next step is to configure the card retire settings by clicking the Edit link for Retire Card as indicated in the red arrow in the image below. From the Retire Card dialog the following options are available. Options For Retire Card The Card can be reused option will allow for the retired user smart card to be reused by the S- Series. The Clean card option will remove the card template set during the issuance process. The Disable smart card in PAMS will disable the user smart card in the PAMS system if one is configured and Delete smart card in PAMS will delete the user smart card from the PAMS system if one is configured. Permissions If the Access rights per individual lifecycle tasks option is enabled in the General settings for the template, then the following options are available. From the Permissions section, it is possible to configure the operator roles who will be allowed to perform this particular lifecycle process. Click the Edit button to configure the operator role(s) that is allowed to perform this particular lifecycle process. Enable the Check user validity option which will result in a check being performed to ensure that the user is a valid user in the user directory. Enable the Validate Permission option to configure and select the template that can be used if it is required to perform some validation steps before a smart card token is issued to a user. See the section below for further details on this. Initiate Card The next step is to configure the card initiate settings by clicking the Edit link for Initiate Card as indicated in the red arrow in the image below. From the Initiate Card dialog the following options are available. vsec:cms versasec.com 30(338)

31 Options For Initiate Card Enable the System set user PIN option and click the Configure button to set the specific PIN configuration that will be set when the card is initiated. Click the Enable smart card in PAMS which will enable the user smart card in PAMS, if one is configured, during the initiate process. On clicking the Configure button the following options are available. From the Initiate PINs section dialog it is possible to configure what PIN value can be set to the card when it is initiated. Select the Apply to all PINs option if it is required that the PINs set will be applied to all PINs on the card. This will only occur with smart cards that support multi-pins and which are configured on the system. In such a scenario and where the Apply to all PINs option is not checked, then the PIN will only be set on the primary card PIN. All other PINs will remain blocked. Select the Force change at first use option if it is required to force the user to change their PIN on first use of the card. Select the Random PIN option if it is required that the PIN will be randomly generated by the S-Series application. Enter the length of the PIN that should be created into the PIN length field. If the Random PIN option is not selected it will be necessary to enter a static PIN value that will be set to the smart card into the PIN value field. From the available drop down list in Send PINs to section select the export destination that the S- Series application will send the configured data to when the card is initiated. Different export mechanisms can be configured from Connections Data Export. Note: The PIN values configured from here need to meet the PIN policy as set on the card otherwise errors will occur when trying to set a PIN value that does not meet the PIN policy on the card. Permissions If the Access rights per individual lifecycle tasks option is enabled in the General settings for the template, then the following options are available. vsec:cms versasec.com 31(338)

32 From the Permissions section, it is possible to configure the operator roles who will be allowed to perform this particular lifecycle process. Click the Edit button to configure the operator role(s) that is allowed to perform this particular lifecycle process. Enable the Check user validity option which will result in a check being performed to ensure that the user is a valid user in the user directory. Enable the Validate Permission option to configure and select the template that can be used if it is required to perform some validation steps before a smart card token is issued to a user. See the section below for further details on this. Activate Card The next step is to configure the card activate settings by clicking the Edit link for Activate Card as indicated in the red arrow in the image below. From the Activate Card dialog the following options are available. Options For Activate Card Enable The Update certificate status at CA if it is required to inform the CA to resume the user certificate. Enable the Force certificate status update at CA (Fail to revoke smart card if CA is not reachable) if it is required to force the CA to be informed about the unrevoked request of the user certificate, i.e., if the CA is unreachable the user smart card certificate will not be unrevoked and the process will be aborted. The Enable smart card in PAMS which will enable the user smart card in PAMS, if one is configured, during the activate process. Enable the Activate Operator account if it is required to activate the operator account during the activate process for the S- Series. Permissions If the Access rights per individual lifecycle tasks option is enabled in the General settings for the template, then the following options are available. From the Permissions section, it is possible to configure the operator roles who will be allowed to perform this particular lifecycle process. Click the Edit button to configure the operator role(s) that is allowed to perform this particular lifecycle process. Enable the Check user validity option which will result in a check being performed to ensure that the user is a valid user in the user directory. Enable the Validate Permission option to configure and select the template that can be used if it is required to perform some validation steps before a smart card token is issued to a user. See the section below for further details on this. vsec:cms versasec.com 32(338)

33 Inactivate Card The next step is to configure the card inactivate settings by clicking the Edit link for Inactivate Card as indicated in the red arrow in the image below. From the Inactivate Card dialog the following options are available. Options For Inactivate Card Enable the Update certificate status at CA if it is required to inform the CA to revoke the user certificate. Enable the Force certificate status update at CA (Fail to revoke smart card if CA is not reachable) if it is required to force the CA to be informed about the revocation of the user certificate, i.e., if the CA is unreachable the user smart card certificate will not be revoked and the process will be aborted. If this option is not enabled and the CA is not reachable the revocation request will be cached by the S-Series. Enable the Disable smart card in PAMS if the user smart card needs to be deactivated in PAMS, if one is configured, during the inactivate process. Enable the Deactivate Operator account if it is required to deactivate the operator account during the inactivate process for the S-Series. Permissions If the Access rights per individual lifecycle tasks option is enabled in the General settings for the template, then the following options are available. From the Permissions section, it is possible to configure the operator roles who will be allowed to perform this particular lifecycle process. Click the Edit button to configure the operator role(s) that is allowed to perform this particular lifecycle process. Enable the Check user validity option which will result in a check being performed to ensure that the user is a valid user in the user directory. Enable the Validate Permission option to configure and select the template that can be used if it is required to perform some validation steps before a smart card token is issued to a user. See the section below for further details on this. Lock Card The next step is to configure the card lock settings by clicking the Edit link for Lock Card as indicated in the red arrow in the image below. vsec:cms versasec.com 33(338)

34 From the Lock Card dialog the following options are available. Options For Lock Card Enable the Update certificate status at CA if it is required to inform the CA that the certificate of the user should be revoked when the card is locked. Enable the Force certificate status update at CA (Fail to revoke smart card if CA is not reachable) if it is required to force the CA to be informed about the revocation of the user certificate, i.e., if the CA is unreachable the user smart card certificate will not be revoked and the process will be aborted. If this option is not enabled and the CA is not reachable the revocation request will be cached by the S-Series. The Enable smart card in PAMS which will enable the user smart card in PAMS, if one is configured, during the lock process. Permissions If the Access rights per individual lifecycle tasks option is enabled in the General settings for the template, then the following options are available. From the Permissions section, it is possible to configure the operator roles who will be allowed to perform this particular lifecycle process. Click the Edit button to configure the operator role(s) that is allowed to perform this particular lifecycle process. Enable the Check user validity option which will result in a check being performed to ensure that the user is a valid user in the user directory. Enable the Validate Permission option to configure and select the template that can be used if it is required to perform some validation steps before a smart card token is issued to a user. See the section below for further details on this. Unlock Card The next step is to configure the card unlock settings by clicking the Edit link for Unlock Card as indicated in the red arrow in the image below. vsec:cms versasec.com 34(338)

35 From the Unlock Card dialog the following options are available. Options For Unlock Card Enable the Update certificate status at CA if it is required to inform the CA that the user certificate should be unrevoked. Enable the Force certificate status update at CA (Fail to revoke smart card if CA is not reachable) if it is required to force the CA to be informed about the unrevoked user certificate, i.e., if the CA is unreachable the user smart card certificate will not be unrevoked and the process will be aborted. The Enable smart card in PAMS which will enable the user smart card in PAMS, if one is configured, during the unlock process. Enable the Automatically initiate cards after unlock to automatically set a PIN code on the card if this feature is enabled in Initiate Card section. Permissions If the Access rights per individual lifecycle tasks option is enabled in the General settings for the template, then the following options are available. From the Permissions section, it is possible to configure the operator roles who will be allowed to perform this particular lifecycle process. Click the Edit button to configure the operator role(s) that is allowed to perform this particular lifecycle process. Enable the Check user validity option which will result in a check being performed to ensure that the user is a valid user in the user directory. Enable the Validate Permission option to configure and select the template that can be used if it is required to perform some validation steps before a smart card token is issued to a user. See the section below for further details on this. Delete Card The next step is to configure the card delete settings by clicking the Edit link for Delete Card as indicated in the red arrow in the image below. Important: A card should only be deleted if it is reported as lost and/or damaged. Once a card is deleted it will never be possible to get this card back into a working state, i.e. deleting a card is final and non-reversible. Permissions If the Access rights per individual lifecycle tasks option is enabled in the General settings for the template, then the following options are available. vsec:cms versasec.com 35(338)

36 From the Permissions section, it is possible to configure the operator roles who will be allowed to perform this particular lifecycle process. Click the Edit button to configure the operator role(s) that is allowed to perform this particular lifecycle process. Enable the Check user validity option which will result in a check being performed to ensure that the user is a valid user in the user directory. Enable the Validate Permission option to configure and select the template that can be used if it is required to perform some validation steps before a smart card token is issued to a user. See the section below for further details on this. Update Card The next step is to configure the card Update settings by clicking the Edit link for Update Card as indicated in the red arrow in the image below. From the Update Card dialog the following options are available. Options For Card Update Enable the Update when smart card expires in check box if it is required for the S-Series to check if the user certificate on the smart card needs to be updated. Enter the number of days before the certificate is due to expire for which the S-Series will activate the notification. In this example we set this value to 60 days which means that the notifications will begin to occur, depending on what is configured for the notifications (see below), 60 days before the certificate on the card expires. Click the Configure button to configure the notification message(s) that can be sent to the smart card user when their certificate is due to expire. Note: In order to view smart card(s) that have updates pending, the smart card needs to be: In the possession of the operator. In this case, the operator can determine if the smart card needs to be updated from the Actions Update Smart Card page. The operator can filter for smart cards that are due for updates from the Repository Smart Cards page and the operator selects the Status: update needed filter from the Filtered by drop down list. Click Add to create a new notification template. Note: Additional notification templates can be created that can be sent if it is required to have different notification messages sent as the period before the certificate expiration is reached. vsec:cms versasec.com 36(338)

37 From this dialog you configure the period when the notification will be sent. Enter a template name for the title. For the period configuration, in the From field enter the number of days before the certificate expires that this notification will be sent. In the To field enter the number of days that this notification will be sent for. Therefore, for this particular example the notification will be sent between the 40 th and 50 th day. Enable the Enable Notification check box and in the Notify every field enter the frequency (in days) that the notification will be sent. In this example a notification will be sent once a day between the 40 th and 50 th day. Click the Configure Notification button to configure the actual notification message that is to be sent. Click Add button to add either an or SMS notification message that will be sent. In this example we will configure an notification. Enter a template name and select from the drop down list. Select the server configured that is to be used from the Outgoing Server drop down list. Click the Edit template button to configure the actual content of the that will be sent to the smart card user. The message content can be either in MHTML or plain text. MHTML files can be created using MS Word for example. If an MHTML file is used for the content it will be necessary to select the Html radio button and click the Import button to select and import the MHTML file into the application. MHTML files can be created using MS Word for example. It is possible to place S-Series variables into the MHTML page which will be used as placeholders to be replaced by actual data that can be retrieved by the application. If plain text is used for the content it will be necessary to select the Text radio button. Enter the address that the will be sent from into the From field. The To field should contain the variable for the user address. In order to place the variable into the field, select the variable from the Variables drop down list and select Copy. A short description will appear below the drop down list providing a brief description of the variable. Right click the field and select paste. A CC and BCC can be provided if required. Enter an appropriate subject into the Subject field. For the message, enter an appropriate message with variables to be replaced with specific data from the system. If the variable cannot be resolved when exporting the data the variable name will be used instead, for example, if the variable ${UserPin} is used and for some reason the user PIN cannot be retrieved from the application then the value exported will be the variable name, i.e. ${UserPin}. Click Ok to save the template. Important: When adding variable placeholders to either MHTML or plain text the variable needs to be entered correctly i.e. the variables are case sensitive. Note: When constructing the message in plain text, in order to move the cursor to a new line it is necessary to press Ctrl + return. Permissions If the Access rights per individual lifecycle tasks option is enabled in the General settings for the template, then the following options are available. vsec:cms versasec.com 37(338)

38 From the Permissions section, it is possible to configure the operator roles who will be allowed to perform this particular lifecycle process. Click the Edit button to configure the operator role(s) that is allowed to perform this particular lifecycle process. Enable the Check user validity option which will result in a check being performed to ensure that the user is a valid user in the user directory. Enable the Validate Permission option to configure and select the template that can be used if it is required to perform some validation steps before a smart card token is issued to a user. See the section below for further details on this. vsec:cms versasec.com 38(338)

39 Settings Backup Settings It is important to configure and setup the automatic backup of the S-Series application database. By default, the automatic backup feature will be enabled. The backup database file is encrypted. It is recommended to never disable this feature as should the S-Series application become unusable and the backup feature is disabled then it will not be possible to recover registered user smart cards managed by the S-Series. For the S-Series, the service is performing the copy when the backup is performed. You can change the location that the backup database file is copied to by manually entering the location or clicking the Browse button. For the S-Series make sure that the service can copy to the new destination folder. It is possible to validate that the backup is performed by clicking the Backup Now button from the Schedule dialog. It is possible to configure the S-Series application to perform scheduled backups by clicking the Schedule button and configuring the frequency, day and time. The Run as option allows the S-Series application to perform database backup using a different user account. Enable the Run task using different credentials checkbox and enter the Windows user account details that you wish the backup database operation to run under. The Windows account name should be the Windows samaccountname. This account needs to have permissions to access to the dat folder of the S-Series. If a user logs onto their PC with a different user account the backup database operation will be performed using the user account configured here. Important: It is strongly recommended to change the location of the backup database file so that the backup database file is copied to a location that is securely backed up and is added to your organizations IT daily backup processes. By default the backup is written to C:\Program Files (x86)\versasec\vsec_cms S-Series\dat, if the default location is selected as part of the installation. It is important that only the Service has permissions to enter and/or access the dat folder. By default the S-Series installation sets the permission on this folder to System and it is recommended to not change this. Configure Action Certificates/Keys Settings It is possible to configure the S-Series such that it will be possible to configure a card template to issue certificate(s) without the S-Series actually managing the administration PIN of the smart card. Therefore an operator can issue a smart card token with certificate(s) but it will not manage the smart card token PIN. This can be performed from Actions Certificate(s)/Keys. Select Enable card template based actions to enable this feature. Enable the Allow actions on unregistered cards and click the Configure button to select which card template(s) this feature should be allowed to be used on. vsec:cms versasec.com 39(338)

40 Smart Cards From the Smart Cards page it is possible to configure the default administration key values, as set by the smart card manufacturer, to a configurable value. Note: If the smart card minidriver is not installed on the system that the S-Series is running on then the smart card will not be recognized and consequently it will not be possible to perform operations with the smart card. To add a new smart card type, attach the smart card you wish to add and click the Add button. Enter a template name and click the Add button. If the ATR is unknown click the Get button to automatically retrieve the ATR. In the Administration Key section, the expected administration key value when the smart card is received from the vendor can be set here along with the default administration value that will be set on the smart card when it is unregistered by the S-Series application. The key type can also be configured. Note: The ATR and some parts of the bytes are unique for a specific card type, whereas other smart cards may differ. Even so, the card type is still the same. For example, the Gemalto.NET smart cards can have ATR=3B , or ATR=3B From this, a mask can be configured to inform an application using the smart card which part of the ATR to compare. In the example given, Mask=FF0000FFFFFFFFFFFF means that the bytes 3B and will have to be identical, while the bytes 0000 can be different. Important: If you are managing a Gemalto/Safenet etoken it will be necessary to have the Safenet Authentication Client (SAC) installed on the host where you manage the tokens from. Additionally if you require that the S-Series should perform the initialization of the token then from the smart card dialog enable the Initialize the token at registration check box as in the example dialog below. This will remove the requirement to initialize these tokens using SAC which would be required if you did not wish for the S-Series to perform this task. Important: If you are managing Atos CardOS smart cards it will be necessary to have them initialized firstly using the CardOS API application using a PUC code of vsec:cms versasec.com 40(338)

41 Security From Security page a number of options are available, depending on the configuration set in the S-Series. From the Remember Operator Token Passcode section it is possible to configure the S-Series application to securely cache the operator s passcode for a configurable period of time (maximum of 15 minutes) thereby removing the need for the operator to manually enter the passcode for operations requiring passcode entry. From the Backup Passcode section it will be possible to change the S-Series passcode created during the initialization stage. This is the passcode required to unlock the backup database file for the S-Series. The operator will be prompted to enter the operator passcode and then the operator needs to enter the current passcode followed by the new passcode. A success dialog will be presented after successfully changing the passcode. It is important to adhere to the message in the success dialog, i.e. delete any old backup files as these files can still be opened by the old passcode. From the Plugin Security section enable the Allow loading of unsigned library extensions (DLLs) checkbox if it is required to allow the loading of plugins created that have not been signed. For full details on using the vsec:cms plugin features please contact Versasec for more details. From the Administrator Key Security section enable the Allow external smart card administration key loading checkbox if it is required to use the self-service functionality of the S-Series. This is required in order to be able to perform administration key operations when using the self-service application. Enable the Enable operator service key store if the service key store is to be used for the self-service functionality. From the Application Security section enable the Allow application usage without operator card if it is required to allow operator(s) to log onto the S-Series with their operator card and then they can remove the operator card and continue to use the S-Series for a configurable period of time without requiring them to have their operator card connected. Set the period of inactivity which will force the S-Series application to lock in the Logout without any action for field. This feature can be used in environments where only one smart card reader is available. Enable the Allow currently logged on Operator to self-issue token if it is required that the currently logged on operator is allowed to issue additional smart card tokens to themselves. vsec:cms versasec.com 41(338)

42 Connections From the Connections a number of settings can be configured. LDAP Server From Options Connections click the Configure button and ensure that LDAP Server is selected as in the window below. Then from Options Connections click LDAP Server to add template. Users who smart cards will be issued to and whose user credentials reside in an LDAP server can be configured from here. Enter a template name and enter the hostname for the LDAP along with the port, protocol and enable SSL/TLS if a secure connection is required. Click the Test Connection button to ensure that the system that the S-Series is running on is reachable. If simple authentication parameters are required enable this option and provide the necessary username and password to connect to the LDAP. Click Save button when complete. To delete an existing LDAP connection template select the template that is to be deleted and click the Delete button. vsec:cms versasec.com 42(338)

43 To edit an existing LDAP connection template select the template that is to be modified and click the Edit button. vsec:cms versasec.com 43(338)

44 Active Directory Users that smart cards will be issued to and whose user credentials reside in an Active Directory (AD) server can be configured from here. From Options Connections click the Configure button and ensure that Active Directory is selected as in the window below. Then from Options Connections click Active Directory to add template. Enter a template name and enable the Use current user credentials if the S-Series is connected to a host that is logged onto a domain. If more than one DC is available, then select from the drop down list in the Server field. If the S-Series is not connected to a DC then it is possible to enter a domain server address along with a username and password. Click the Test button to ensure that the domain is reachable. An AD search dialog should be displayed if the domain is reachable from where a user can be searched for to test the connectivity. Click the Save button to complete the setup. To delete an existing AD connection template select the template that is to be deleted and click the Delete button. To edit an existing AD connection template select the template that is to be modified and click the Edit button. vsec:cms versasec.com 44(338)

45 Certificate Authorities The S-Series can be configured to connect to a number of different CA s each of which is described below in this section. Microsoft Enterprise Certificate Authority The S-Series can be configured to connect to a CA by interfacing to AD, available on DC s, or the CA could be running on another server that is not a DC server. The S-Series connects to the DC server using the local user credentials, i.e. the user credentials used to log onto the domain, automatically, or it can be configured to connect to a specific server using specific credentials (the CA server IP address along with user credentials) from outside of the domain. To add a CA connection from Options Connections click the Configure button and make sure that Certificate Authorities is in the Selected window as in the example below. From Options Connections click Certificate Authorities and click Add to open the dialog where the CA specific connection details are configured. vsec:cms versasec.com 45(338)

46 Enter a template name and select the Windows CA (Microsoft Enterprise Certification Authority) from the drop down list. Click the Select CA button which will launch a dialog from where it is possible to specify the DC from where the CA configuration information should be read. If the S-Series is on a server connected to the DC then select the Use from domain radio button and click the Ok button. Otherwise select the Use specific server radio button and enter the server details for the DC and the Windows account to connect with. The Windows account should be the Windows samaccountname. The enterprise CA server details should now be populated in the drop down lists. Select the appropriate server for your configuration. Important: There needs to be at least one certificate template available on the CA. Click the Templates button to view all the available CA templates. Enable the Show all checkbox and click the Update button to view all available templates. Click the Get button to get the certificate issuer DN which will be used if the PKCS#12 import functionality is used. This will be required to determine if the imported PKCS#12 certificates can be managed by the S-Series. If an Enrollment Agent (EA) certificate is required and is not present on the S-Series operator token, simply request one by clicking the Request button. If more than one enrollment agent certificate is configured on the CA a dialog will be presented from which the enrollment agent certificate should be selected. The message Store on: Operator token will be shown indicating that the EA is stored on the operator token. Enable the Disable retrieving renewed certificates before revocation if it is required to disable the S-Series from checking on the CA for already renewed certificates that may have been renewed outside of the S-Series. Click the Save button to complete the setup. vsec:cms versasec.com 46(338)

47 Entrust CA The S-Series can be configured to connect to an Entrust CA for issuing users with certificates. Important: It is expected that an administrator who is configuring connections to an Entrust CA has experience and expertise in using an Entrust CA. If further details are required on configuring Entrust CA please contact Versasec. Note: If the Entrust CA is used it will not be possible to use the Self-Service capabilities of the S- Series to manage the certificate(s) on the smart card. Also, it will only be possible to configure one Entrust CA connection per S-Series setup. To add a CA connection from Options Connections click the Configure button and make sure that Certificate Authorities is in the Selected window as in the example below. From Options Connections click Certificate Authorities and click Add to open the dialog where the CA specific connection details are configured. vsec:cms versasec.com 47(338)

48 Enter a template name and select Entrust from the drop down list. Click the Configure button for Java. Select the version of installed Java Runtime Environment (JRE) which needs to be available on the server where the S-Series is running. Also enter any standard JVM parameters that may need to be set depending on your environment and recommendations from Entrust. Click Ok to close. Important: It is required that a 32 bit version of JRE is installed on the server as the S- Series is a 32 bit application. Click the Configure button for Client Toolkit dialog. Enter the server address and port that the Entrust CA is running on. Click the Test button to ensure connectivity to the CA. Select Do not login if it is not required to use profile based credentials to authenticate to the CA otherwise select Use profile based credentials if a profile file is to be used. Browse to the location where the client toolkit epf file that will be used is stored and enter the epf passcode. Click the Test button to ensure that the profile credential selected is valid. If a certificate stored on the operator smart card is to be used select the Use certificate based credentials radio button. Select the certificate from the drop down list. The Stored on Operator Token should be displayed in the dialog. Click the Test button to ensure that the profile credential selected is valid. Note: The certificate credential used on the operator card will need to be present on the card when using this option. The S-Series does not provide a mechanism to import such certificates onto the operator card. Click OK to save and close the Client Toolkit configuration dialog. Click the Configure button for Admin Toolkit. vsec:cms versasec.com 48(338)

49 Enter the server address and port that the Entrust CA is running on. Click the Test button to ensure connectivity to the CA. Select Do not login if it is not required to use profile based credentials to authenticate to the CA otherwise select Use profile based credentials if a profile file is to be used. Browse to the location where the admin toolkit epf file that will be used is stored and enter the epf passcode. Click the Test button to ensure that the profile credentials selected are valid. If a certificate stored on the operator smart card is to be used select the Use certificate based credentials radio button. Select the certificate from the drop down list. The Stored on Operator Token should be displayed in the dialog. Click the Test button to ensure that the profile credential selected is valid. Note: The certificate credential used on the operator card will need to be present on the card when using this option. The S-Series does not provide a mechanism to import such certificates onto the operator card. Click OK to save and close. Enable the Add user to CA check box and click the Configure button to open the dialog if the user that the smart card is to be issued to is to be added to the Entrust CA. Important: The user will need to exist already in the user directory (typically Active Directory). From the User type drop down list select the user type that the user will be added to. The available types are read from the types that are configured on the Entrust CA. From certificate type select the type that will be set for the user. The available certificate types are read from the types that are configured on the Entrust CA. Select which group that the user will be assigned to. The available groups are read from the groups that are configured on the Entrust CA. Enable the Import from PKCS12 files if it will be required to import PKCS12 file(s) during the issuance process. Click the Configure button to configure specific settings for the PKCS12 file(s) that are to be imported. Click the Get button for the Certificate Authority Issuer DN to determine the DN of the issuing CA. A PKCS12 file that is to be imported can be selected to allow the S- Series to determine the issuing DN from the PKCS12 file. Click the Get button for Default folder vsec:cms versasec.com 49(338)

50 to browse for PKCS12 files to set the default location where the S-Series will select the PKCS12 files from. Enter a default passphrase if the PKCS12 files that are to be imported are configured to be automatically selected from a certificate database certificate list file which has the same passphrase for each PKCS12 file in the database. See the section below for details on how to configure PKCS#12 files to be used from a database file. Click Ok to save and close. Click the Templates button and click the Update button to retrieve all available certificate templates that are available. See Entrust Certificate Templates section below for further details on this. Click OK to close. Select the Use key archival at CA if it is required to use the Entrust key archival feature. Entrust Certificate Templates The Entrust certificate templates that are available from the S-Series are defined in the cfg file CaPluginEntrustCA.cfg. This file is located in the plugins folder where the S-Series was installed. This file will define the certificate templates that are available on the Entrust CA. In this file there is a section <cfg> where the templates are defined. For example, in the example cfg file below there are two templates defined. These are Verification and Encryption. The certificate template name needs to correspond to the actual template name as configured on the Entrust CA. The name is case sensitive. The <minkeylen> define the minimum key length as configured on the CA for the particular template. The <keyspec> defines the key type where 1 is for KEYEXCHANGE and 2 is for SIGNATURE. The <count> parameter, which is a hexadecimal counter, defines how many certificate templates are defined in the cfg, 2 in the example below. If a new certificate template is created on the Entrust CA that needs to be available to the S-Series then it would be necessary to add the template details to the cfg file. <cfg> <templates> <count> </count> <1> <name>verification</name> <minkeylen>1024</minkeylen> <keyspec>2</keyspec> </1> <2> <name>encryption</name> <minkeylen>1024</minkeylen> <keyspec>1</keyspec> </2> </templates> </cfg> vsec:cms versasec.com 50(338)

51 GlobalSign CA The S-Series can be configured to connect to a GlobalSign Enterprise PKI (EPKI). The EPKI is a cloud-based managed PKI service to issue and manage GlobalSign Client Certificates. Important: It is expected that an administrator who is configuring connections to EPKI has experience and expertise in using EPKI. Note: If EPKI is used it will not be possible to use the Self-Service capabilities of the S-Series to manage the certificate(s) on the smart card. To add a CA connection from Options Connections click the Configure button and make sure that Certificate Authorities is in the Selected window as in the example below. From Options Connections click Certificate Authorities and click Add to open the dialog where the CA specific connection details are configured. Enter a template name and from the drop down list of available CA s select GlobalSign (GlobalSign CA). Enter the URL of your GlobalSign CA and click the Test button to ensure vsec:cms versasec.com 51(338)

52 connectivity to the GlobalSign CA. A success dialog should appear if the connection is successfully established. Enter the username and password that will be used to authenticate to the GlobalSign CA in the User Name and Password fields and click the Test button to ensure the credentials are correct. A success dialog should appear if the credentials provided are valid. Click the Request fields button to configure the attributes that can be sent in the certificate request. Click the Templates button to view and update the list of available templates from the CA. Note: When the Templates dialog is opened the name of the templates may not be presented in a user friendly format. Please request details from Versasec on how to transform the template names into user friendly format. Configure Request Fields On clicking the Request fields button the dialog below is shown. By default the Common Name (CN) request field is shown. This field is mandatory for the GlobalSign CA. It will be necessary to assign a variable placeholder for this field that are assigned to an attribute value in your directory. By default the Value field will be populated with a placeholder variable ${CommonName}. This placeholder will need to be assigned to a directory attribute value from your directory, for example in AD this would typically be the attribute cn. If it is required to change this click the ${CommonName} in the Value field which will open a dialog from where it is possible to change this value. Additional fields can be added by clicking the Fields button. Note: For further details and assistance with configuring specific settings for your GlobalSign CA please contact Versasec for support. vsec:cms versasec.com 52(338)

53 Symantec CA The S-Series can be configured to connect to a Symantec MPKI for issuing users with certificates. Important: It is expected that an administrator who is configuring connections to a Symantec MPKI has experience and expertise in using a Symantec MPKI. Note: If the Symantec MPKI is used it will not be possible to use the Self-Service capabilities of the S-Series to manage the certificate(s) on the smart card. To add a CA connection from Options Connections click the Configure button and make sure that Certificate Authorities is in the Selected window as in the example below. From Options Connections click Certificate Authorities and click Add to open the dialog where the CA specific connection details are configured. Enter a template name and from the drop down list of available CA s select Symantec (Symantec MPKI). Enter the URL of your Symantec MPKI and select the client certificate needed to vsec:cms versasec.com 53(338)

54 authenticate to the CA. It is possible to import a PKCS#12/PFX client certificate if required for the client certificate by clicking the Import button. Click the Test button to ensure connectivity to the CA. A success dialog should appear if the configuration parameters are correct. Click the Get instances button to retrieve the CA instances available and select the required instance from the drop down list. Click the Templates button to view and update the list of available templates from the CA. Click the Request fields button to configure the attributes that can be sent in the certificate request. Note: When the Templates dialog is opened the name of the templates may not be presented in a user friendly format. Please request details from Versasec on how to transform the template names into user friendly format. Configure Request Fields On clicking the Request fields button the dialog below is shown. By default three request fields are present. These fields are mandatory for the CA. It will be necessary to assign a variable placeholder for these fields that are assigned to an attribute value in your directory. Click in the Value (empty by default) field which will open a dialog similar to below. As can be seen in this example three S-Series variables are available. These variables are assigned to attributes in the AD. If it is required to add additional variables and assign them to vsec:cms versasec.com 54(338)

55 directory attributes click the Add variable button. Select the variable that will be used from the available list and click Ok. The main dialog will now look similar to below. Additional fields can be added by clicking the Fields button. If the Name value should be a static value hold down the Ctrl key and click in the value field. For example, in the image below the Country name is to have a static value of USA. By holding down the Ctrl key and clicking the Value field it is possible to enter the static value. The Name fields can be either in bold or normal. If the Name field is in bold it means that a corresponding variable needs to be set in the Value field as this will be mandatory value for the S- Series in this case. If a value is not available and the Name field is set as mandatory (marked in bold) then the certificate issuance will fail for the user. vsec:cms versasec.com 55(338)

56 nexus CA The S-Series can be configured to connect to a nexus CA for issuing users with certificates. Important: It is expected that an administrator who is configuring connections to a nexus CA has experience and expertise in using a nexus CA. Note: If the nexus CA is used it will not be possible to use the Self-Service capabilities of the S- Series to manage the certificate(s) on the smart card. To add a CA connection from Options Connections click the Configure button and make sure that Certificate Authorities is in the Selected window as in the example below. From Options Connections click Certificate Authorities and click Add to open the dialog where the CA specific connection details are configured. Enter a template name and select nexus from the drop down list. Click the Configure button for Java. Select the version of installed Java Runtime Environment (JRE) which needs to be available on the server where the S-Series is running. Also enter any standard JVM parameters that may need to be set depending on your environment and recommendations from nexus. Click Ok to close. Important: It is required that a 32 bit version of JRE is installed on the server as the S- Series is a 32 bit application. Click the Configure button for Connection Settings. vsec:cms versasec.com 56(338)

57 Enter the server details and port number that the server is listening on. Click the Test button to test connectivity to the CA. Select the Use profile based credentials and browse to the location where a PFX exists for the user credential that will be used to authenticate to the CA. Enter the passcode for this PFX in the Profile passcode field and click the Test button to ensure that the credential used is valid. Alternatively, select the Use certificate based credentials radio button if the credential to authenticate the operator to the CA is stored on a smart card token. Select the certificate stored on the token from the drop down list and click the Test button to ensure that the credential used is valid. Important: It is required that the Gemalto IDGo 800 PKCS#11 libraries are installed on the host if using the certificate based credential option. Click Ok to save and close the dialog. vsec:cms versasec.com 57(338)

58 Click the Get instances button to retrieve the CA instances available and select the required instance from the drop down list. Click the Templates button to view and update the list of available templates from the CA. Click the Request fields button to configure the attributes that can be sent in the certificate request. Configure Request Fields On clicking the Request fields button the dialog below is shown. By default three request fields are present. These fields are mandatory for the CA. It will be necessary to assign a variable placeholder for these fields that are assigned to an attribute value in your directory. Click in the Value (empty by default) field which will open a dialog similar to below. vsec:cms versasec.com 58(338)

59 As can be seen in this example three S-Series variables are available. These variables are assigned to attributes in the AD. If it is required to add additional variables and assign them to directory attributes click the Add variable button. Select the variable that will be used from the available list and click Ok. The main dialog will now look similar to below. Additional fields can be added by clicking the Fields button. If the Name value should be a static value hold down the Ctrl key and click in the value field. For example, in the image below the Country name is to have a static value of USA. By holding down the Ctrl key and clicking the Value field it is possible to enter the static value. vsec:cms versasec.com 59(338)

60 The Name fields can be either in bold or normal. If the Name field is in bold it means that a corresponding variable needs to be set in the Value field as this will be mandatory value for the S- Series in this case. If a value is not available and the Name field is set as mandatory (marked in bold) then the certificate issuance will fail for the user. vsec:cms versasec.com 60(338)

61 UniCERT CA The S-Series can be configured to connect to a UniCERT CA for issuing users with certificates. Important: S-Series uses UniCERT Programmatic Interface (UPI) to interface to the CA. It is therefore expected that the UPI interface is installed and configured on the CA before integrating with the S-Series. Important: It will not be possible to use the Self-Service capabilities of the S-Series to manage the certificate(s) on the smart card. Important: It is expected that an administrator who is configuring connections to a UniCERT CA has experience and expertise in using a UniCERT CA. To add a CA connection from Options Connections click the Configure button and make sure that Certificate Authorities is in the Selected window as in the example below. From Options Connections click Certificate Authorities and click Add to open the dialog where the CA specific connection details are configured. Enter a template name and select UniCERT from the drop down list. Click the Configure button for Java. Select the version of installed Java Runtime Environment (JRE) which needs to be available on the server where the S-Series is running. Also enter any standard JVM parameters that may need to be set depending on your environment and recommendations from UniCERT. Click Ok to close. Important: It is required that a 32 bit version of JRE is installed on the server as the S- Series is a 32 bit application. vsec:cms versasec.com 61(338)

62 Enter the server details and port number that the server is listening on along with the UPI alias. If HTTPS is to be used for the connection, enable the Use HTTPS checkbox and select the certificate that is to be used for this from the drop down list. Click the Test button to test connectivity to the CA. Enter the registration authority ID into the RA-ID field. Select the Use profile based credentials and browse to the location where a PFX exists for the user credential that will be used to authenticate to the CA. Enter the passcode for this PFX in the Profile passcode field and click the Test button to ensure that the credential used is valid. Note: Use certificate based credentials is currently not supported for this CA therefore it will be disabled here. Click Ok to save and close the dialog. vsec:cms versasec.com 62(338)

63 Click the Get instances button to retrieve the CA instances available and select the required instance from the drop down list. Click the Templates button to view and update the list of available templates from the CA. Click the Request fields button to configure the attributes that can be sent in the certificate request. Configure Request Fields On clicking the Request fields button the dialog below is shown. By default three request fields are present. It will be necessary to assign a variable placeholder for these fields that are assigned to an attribute value in your directory. Click in the Value (empty by default) field which will open a dialog similar to below. vsec:cms versasec.com 63(338)

64 As can be seen in this example three S-Series variables are available. These variables are assigned to attributes in the AD. If it is required to add additional variables and assign them to directory attributes click the Add variable button. Select the variable that will be used from the available list and click Ok. The main dialog will now look similar to below. Additional fields can be added by clicking the Fields button. If the Name value should be a static value hold down the Ctrl key and click in the value field. For example, in the image below the Country name is to have a static value of USA. By holding down the Ctrl key and clicking the Value field it is possible to enter the static value. vsec:cms versasec.com 64(338)

65 The Name fields can be either in bold or normal. If the Name field is in bold it means that a corresponding variable needs to be set in the Value field as this will be mandatory value for the S- Series in this case. If a value is not available and the Name field is set as mandatory (marked in bold) then the certificate issuance will fail for the user. vsec:cms versasec.com 65(338)

66 IDnomic CA The S-Series can be configured to connect to a IDnomic CA (formerly known as OpenTrust) for issuing users with certificates. Important: It is expected that an administrator who is configuring connections to an IDnomic CA has experience and expertise in using an IDnomic CA. To add a CA connection from Options Connections click the Configure button and make sure that Certificate Authorities is in the Selected window as in the example below. From Options Connections click Certificate Authorities and click Add to open the dialog where the CA specific connection details are configured. Enter a template name and select Opentrust from the drop down list. Enter the IDnomic server URL that you will connect to in the OpenTrust Server URL field and click Test button to ensure connectivity to the server. A success dialog will appear if the URL is valid. vsec:cms versasec.com 66(338)

67 Select the certificate that will be used to authenticate to the IDnomic CA from the HTTPS client certificate field. It is recommended that the certificate used to authenticate is stored on the operator smart card. Click the Get instances button to retrieve the CA instances available and select the required instance from the drop down list. Click the Templates button to view and update the list of available templates from the CA. Click the Request fields button to configure the attributes that can be sent in the certificate request. Configure Request Fields On clicking the Request fields button the dialog below is shown. In example below we have added three example fields. In the example below it will be necessary to assign a variable placeholder for these fields that are assigned to an attribute value in your directory. Click in the Value (empty by default) field which will open a dialog similar to below. As can be seen in this example three S-Series variables are available. These variables are assigned to attributes in the AD. If it is required to add additional variables and assign them to directory attributes click the Add variable button. Select the variable that will be used from the available list and click Ok. The main dialog will now look similar to below. vsec:cms versasec.com 67(338)

68 Additional fields can be added by clicking the Fields button. If the Name value should be a static value hold down the Ctrl key and click in the value field. For example, in the image below the Country name is to have a static value of USA. By holding down the Ctrl key and clicking the Value field it is possible to enter the static value. The Name fields can be either in bold or normal. If the Name field is in bold it means that a corresponding variable needs to be set in the Value field as this will be mandatory value for the S- Series in this case. If a value is not available and the Name field is set as mandatory (marked in bold) then the certificate issuance will fail for the user. vsec:cms versasec.com 68(338)

69 EJBCA To add a CA connection from Options Connections click the Configure button and make sure that Certificate Authorities is in the Selected window as in the example below. From Options Connections click Certificate Authorities and click Add to open the dialog where the CA specific connection details are configured. Important: It will only be possible to setup a connection to EJBCA from a host that is running Windows 2008 R2 or later. Enter a template name and select the EJBCA from the drop down list. Enter the EJBCA server URL and from the HTTPS Client Certificate select the CA user certificate to connect to the EJBCA web service. This user s certificate will need to be in the MS certificate store, which would typically be imported into the MS certificate store as a PKCS#12 file. Click the Get instances button to connect to the EJBCA web service and retrieve the CA details. vsec:cms versasec.com 69(338)

70 Select the certificate authority that you wish to connect to and select the end entity profile that is to be used. Enter the certificate subject DN as will be issued as the user certificate. You can use variable placeholders to construct the subject DN. Click the Templates button to configure the CA templates that will be made available from this template. Click the Update button to ensure that all the latest CA templates are available from this dialog. Click the Save button to complete the setup. vsec:cms versasec.com 70(338)

71 DigiCert CA The S-Series can be configured to connect to a DigiCert Enterprise Managed PKI. Important: It is expected that an administrator who is configuring connections to DigiCert has experience and expertise in using DigiCert. Note: If DigiCert is used it will not be possible to use the Self-Service capabilities of the S-Series to manage the certificate(s) on the smart card. To add a CA connection from Options Connections click the Configure button and make sure that Certificate Authorities is in the Selected window as in the example below. From Options Connections click Certificate Authorities and click Add to open the dialog where the CA specific connection details are configured. Enter a template name and from the drop down list of available CA s select DigiCert (DigiCert CA). Enter the URL of your DigiCert CA and click the Test button to ensure connectivity to the DigiCert CA. A success dialog should appear if the connection is successfully established. In the vsec:cms versasec.com 71(338)

72 Authentication key enter the authentication key as provided to you by DigiCert and click the Test button. You should receive a success dialog if the key material entered is correct. Click the Request fields button to configure the attributes that can be sent in the certificate request. Click the Templates button to view and update the list of available templates from the CA. Note: When the Templates dialog is opened the name of the templates may not be presented in a user friendly format. Please request details from Versasec on how to transform the template names into user friendly format. Configure Request Fields On clicking the Request fields button the dialog below is shown. By default the fields below are shown. The name-value field pairs depend on what fields need to be sent in the certificate request. By default the field names below are shown. To configure an actual value for these click the empty field value beside the name that is to be configured. On clicking the empty Value field a dialog similar to below will be shown. For example, for the name Certificate Signature Hash the actual hash algorithm that is required should be configured here. In this case this needs to be entered as free text. Therefore enable the Use free text radio button and enter sha256 for example. Additionally a name value can be mapped to a variable placeholder which can retrieve the value from a directory. Additional fields can be added by clicking the Fields button. vsec:cms versasec.com 72(338)

73 Note: For further details and assistance with configuring specific settings for your DigiCert CA please contact Versasec for support. vsec:cms versasec.com 73(338)

74 PKCS#12 The S-Series can be configured to manually import PKCS12 certificate files during the smart card issuance. To add a CA connection from Options Connections click the Configure button and make sure that Certificate Authorities is in the Selected window as in the example below. From Options Connections click Certificate Authorities and click Add to open the dialog where the CA specific connection details are configured. Enter a template name and select PKCS12 from the drop down list. Click the Get button for the Certificate Authority Issuer DN to determine the DN of the issuing CA. A PKCS12 file that is to be imported can be selected to allow the S-Series to determine the issuing DN from the PKCS12 file. This will mean that only certificates issued by the issuing CA will be allowed to be imported. Click the Get button for Default folder to browse for PKCS12 files to set the default location where the S-Series will select the PKCS12 files from. Enter a default passphrase if the PKCS12 files that are to be imported are configured to be automatically selected from a certificate database certificate list file which has the same passphrase for each PKCS12 file in the database. See the section below for details on how to configure PKCS#12 files to be used from a database file. vsec:cms versasec.com 74(338)

75 vsec:cms versasec.com 75(338)

76 Physical Access From Options Connections click the Configure button and ensure that Physical Access is selected as in the window below. Then from Options Connections click Physical Access to add template. Click Add to open the dialog where the PAMS specific connection details are configured. The S- Series currently supports the Edge Connector PAMS which is included as a plug-in. If other PAMS systems are required to be configured please contact Versasec for details on how to add a PAMS connector plug-in. Note: In order to configure a connection to PAMS at least one connection to LDAP needs to be already configured as the PAMS connector expects to read data from LDAP. Enter a template name and click the Configure button. Enter the directory server specific details and configure the directory settings as necessary for the specific environment and click OK. If the environment on which the PAMS is configured is an AD, the LDAP configuration options can be used in this case to connect to the AD. Add or edit LDAP filter as required. Click the Test button to ensure that the directory is reachable and that the expected user details are returned. vsec:cms versasec.com 76(338)

77 vsec:cms versasec.com 77(338)

78 External Trace From the Options Connections page it is possible to configure event logging to an MS event viewer for the S-Series application. From Options Connections click the Configure button and ensure that External Trace is selected as in the window below. Then from Options Connections click External Trace to enable external trace. Enable Send events check box to send S-Series application events to the MS Windows event viewer. Click the Add this computer to add the computer that the S-Series application is running on, such that events will only be logged to the computers listed in Registered host computers. It will be necessary to have the event provider installed on the server that the S-Series is running on. If the event provider is not installed the Install event provider button will be enabled and it will be possible to install. The following events will be logged with the event viewer: Start and stop of the S-Series Window services; The operator who starts the S-Series application; The operator who successfully authenticated and logged in; The operator who logs off the application; The following lifecycle operations will be captured card issued, card pin unblock, card revoke, card retire and card delete. The details logged will be the operator who performed the action and for which user the card the operation was performed on. vsec:cms versasec.com 78(338)

79 From the Options Connections page it is possible to configure the server(s) that can be configured for the S-Series application. From Options Connections click the Configure button and ensure that is selected as in the window below. Then from Options Connections click to add template. An server template would be configured if it is required that the S-Series application should send notifications to the smart card user, when the user smart card is initiated. It is possible to add, delete and edit a template. Important: To use the functionality Microsoft.NET Framework version 2.0 and 4.0 is required. From click the Configure button for and click the Add button to add a new template. Enter a template name, along with the specific SMTP server specific details. For Credentials configure the required credentials as required by your server to authenticate with. For Connection security enter the required type for your server. Click the Check Connection vsec:cms versasec.com 79(338)

80 button to test that the template configuration is correct. A test will be sent to the address configured in the address field. vsec:cms versasec.com 80(338)

81 Data Export From the Options Connections page it is possible to configure the data export mechanisms that can be used by the S-Series application. If it is required to export data from the S-Series application then the data to be exported and the transport mechanism would be configure here. It is possible to add, delete and edit a template. Currently, the application supports file, , print and SQL as the transport mechanisms. Data Export File Note: If the data export is configured to write data to XML file it is important to note that special characters will be handled differently because XML syntax uses some characters for tags and attributes therefore it is not possible to directly use those characters inside XML tags or attribute values. For these characters, the S-Series uses the numeric character reference instead of that character as defined in the XML standard. To configure the S-Series to export data to file follow these guidelines. From Options Connections click the Configure button and ensure that Data Export is selected as in the window below. Then from Options Connections click Data Export to add template. If a new template is being added select the type File from the Target drop down list. Select the Write automatically to file option if it is required to write to file when the smart card is initiated. Alternatively, select the Write to cache if it is required to hold the data in the applications cache, whereby it can be written to file at a later time. If the Write to cache option is selected, enable the Ask for filename option to prompt the operator to select a file location to write the data to when the operator exports the cache manually. Click the Format button to configure the file format and select the data that can be exported to file. Currently delimited text and XML format is supported with encoding of either ANSI or Unicode. The data that is selected to be exported can be configured so that the sequence of the entries as written to the export data file can be set. For example, if it was required to export the users ID (name), the users address and the users PIN in that sequence the Export to file window list those variables in that order. Use the Up and Down button to configure the sequence of data variables as written to file. Click the Browse button to select a file that the application will write the data to if the Write to cache option is not selected. vsec:cms versasec.com 81(338)

82 From the Permissions section it is possible to configure the operators with specific roles who will be allowed to export the data. Click Save when complete. Data Export To configure the S-Series to export data to follow these guidelines. From Options Connections click the Configure button and ensure that Data Export is selected as in the window below. Then from Options Connections click Data Export to add template. Select the type from the Target drop down list. Select the Send automatically option if it is required to send an when the smart card is initiated. Alternatively, select the Write to cache option if it is required to hold the data in the applications cache, whereby it can be ed at a later time. Click the Configure mail button to configure the message. From the SMTP server drop down list select the already configured SMTP server. Click the Test button to ensure that the configuration works as required. A test will be sent to the address configured in the connection template. From the Permissions section it is possible to configure the operators with specific roles who will be allowed to export the data. Click Save when complete. Configure Message In this dialog it is possible to configure the message to be sent to the smart card user. The message content template can either be in MHTML format or in plain text. If an MHTML file is used for the content it will be necessary to select the Html radio button and click the Import button to select and import the MHTML file into the application. MHTML files can be created using MS Word for example. It is possible to place S-Series variables into the MHTML page which will be used as placeholders to be replaced by actual data that can be retrieved by the application. If plain text is used for the content it will be necessary to select the Text radio button. Enter the address that the will be sent from into the From field. The To field should contain the variable for the user address. In order to place the variable into the field, select the variable from the Variables drop down list and select Copy. A short description will appear below the drop down list providing a brief description of the variable. Right click the field and select paste. A CC and BCC can be provided if required. Enter an appropriate subject into the Subject field. For the message, enter an appropriate message with variables to be replaced with specific data from the system. If the variable cannot be resolved when exporting the data the variable vsec:cms versasec.com 82(338)

83 name will be used instead, for example, if the variable ${UserPin} is used and for some reason the user PIN cannot be retrieved from the application then the value exported will be the variable name, i.e. ${UserPin}. Click Ok to save the template. Important: When adding variable placeholders to either MHTML or plain text the variable needs to be entered correctly i.e. the variables are case sensitive. Note: When constructing the message in plain text, in order to move the cursor to a new line it is necessary to press Ctrl + return. Data Export Printer To configure the S-Series to export data to a printer follow these guidelines. From Options Connections click the Configure button and ensure that Data Export is selected as in the window below. Then from Options Connections click Data Export to add template. Select the type Print from the Target drop down list. Select the Print automatically option if it is required to print the data when the smart card is initiated. Alternatively, select the Write to cache option if it is required to hold the data in the applications cache, whereby it can be printed at a later time. Click the Import button to import the print template file. This will result in the S-Series application reading and importing the file into the application s database. The location of this file will be displayed in the Filename field as a pointer to where the file was imported from. If this file is deleted or is no longer available on the system, the application will still have the file stored in the application database. Click the Export button to export this file from the application, if required at a later time. From the Print at drop down list select either Server (only) if the printing is to be carried out on the server side or Client (only) if the printing is to be carried out on the operator s client. It will only be possible to select one of the options here, therefore printing can only be conducted on server side or client side depending on what is selected here. Additionally it will only be possible to configure the selected option here from the server side. Once the selected option is chosen it will not be possible to change this on the client side. From the Renderer drop down list either Microsoft Word or Windows system will be available. Microsoft Word will only be available if Microsoft Word is installed on the server or client where the printing is to be conducted. Microsoft Word should be used and selected when more advanced printing layout is required. vsec:cms versasec.com 83(338)

84 From the Printer drop down list select from the available printer(s) accessible by the server if the printing is to be conducted on the server. Alternatively if the printing is to be conducted on the operator s client then select from the available printer(s) accessible by the client. From the Permissions section it is possible to configure the operators with specific roles who will be allowed to export the data. Click Save when complete. Note: The print template format supported is rich text format. If font formatting of the text is required it is necessary to format the complete variable name too. For example, if it is required to print the user s first name in bold, then the variable (as in the example below) should be ${UserFirstName}, i.e. the entire variable name is in bold. An example file format is displayed below: Dear ${UserFirstName}, Your smart card has been issued. Your user PIN is: ${UserPin} You will be forced to change your smart card PIN on first use. Regards, The Smart Card Team Data Export SQL To configure the S-Series to export data to a SQL database follow these guidelines. From Options Connections click the Configure button and ensure that Data Export is selected as in the window below. Then from Options Connections click Data Export to add template. If a new template is being added select the type SQL from the Target drop down list. Select the Write to database automatically option if it is required to write to the SQL DB when the smart card is initiated. Alternatively, select the Write to cache if it is required to hold the data in the applications cache, whereby it can be written to SQL DB at a later time. Select the SQL DB from the Database drop down list. From the Permissions section it is possible to configure the operators with specific roles who will be allowed to export the data. Click Save when complete. vsec:cms versasec.com 84(338)

85 Click the Configure field s button to configure the data that is to be written to the SQL DB. Click the Get button to retrieve and select the database table that the data is to be written to. Select a table column and click the Edit value to assign a record that is to be written to the table. For example, if the smart card CSN is to be written to the SQL database, select the column from the table and click the Edit value button. Select the variable ${Csn} and click OK. During the smart card initiation, the smart card serial number will be written to the SQL database table. Data Export SMS To configure the S-Series to export data via SMS follow these guidelines. This feature would typically be used for unblocking smart card tokens when used with the USS application whereby the smart card token unblock code would be sent via SMS to the end user. This feature could also be used to send the PIN code set on the smart card during the issuance process. From Options Connections click the Configure button and ensure that Data Export is selected as in the window below. Then from Options Connections click Data Export to add template. If a new template is being added select the type SMS from the Target drop down list. The Send SMS automatically option will be enabled and it will not be possible to disable this. Click the Configure SMS button to create a SMS message template. Enter a phone number in the Phone number field. This would typically be a variable that is mapped to an attribute in the user directory. For testing purposes you can enter a valid number into the filed. Enter the country code followed by the phone number, for example if the mobile number that the test was being carried out in was in the United Kingdom then enter +44<your_mobile_number>. In the message window enter the message content that you wish to send. From the Variables drop down list select a variable that is required and click the Copy button to copy the variable value which can then be pasted into the message window. Click Ok to save the settings. Click the Manage button and click Add to add an SMS provider. Note: Currently the SMS providers that can be used are TeleSign, Certificall, Clickatell, Tyntec and Dolphin. Also it is possible to configure a Generic HTTP SMS connector if the provider supports HTTP. If TeleSign is used enter a template name and the Service address and Service mobile address fields will automatically be entered with the details for TeleSign. In the Credentials section enter the credentials as provided by TeleSign. Click Save to save and close the dialog. vsec:cms versasec.com 85(338)

86 Click the Test SMS button to test that an SMS message can be sent to a number entered into the Phone number field from the Configure SMS dialog. For the other supported SMS providers (Certificall, Clickatell, Tyntec and Dolphin) the protocol used is SMS over HTTP as this is the protocol supported by these providers. If additional providers not listed here do support SMS over HTTP then the generic HTTP provider can be configured. Sample configurations have been pre-set for the providers supported. It is necessary to check with your provider to determine what parameters are required. For example, if you are using Clickatell as your provider then enter a template name and select Clickatell from the available SMS providers. Enter the service address and the protocol required. In the Parameters section pre-set parameters are already provided. The user, password and api_id need to be configured with your specific credentials. The to and text will be assigned to variables mapped to attributes as the phone number will need to be retrieved for the user typically from a user directory and the text needs to retrieved. vsec:cms versasec.com 86(338)

87 Smart Card Readers It is possible to hide smart card readers from the S-Series application if it is required to only allow specific smart card readers to be used with the application. For example, if it is required to hide a specific reader from the application, attach the reader and select the reader that is to be hidden and click the OK button. It will then not be possible to use this specific reader with the application when managing smart card. From Options Connections click the Configure button and ensure that Smart Card Readers is selected as in the window below. Then from Options Connections click Smart Card Readers to configure the settings. vsec:cms versasec.com 87(338)

88 Hardware Security Module (HSM) It is possible to configure a connection to a Hardware Security Module (HSM) from this page. A HSM can be used to store the master key used when diversifying new administration keys when registering new smart card tokens with the S-Series. From Options Connections click the Configure button and ensure that Hardware Security Module is selected as in the window below. Then from Options Connections click Hardware Security Module to configure. vsec:cms versasec.com 88(338)

89 Smart Card Printer To add a smart card printer click the Configure button. Note: Currently the S-Series supports the Fargo HDP5000, Datacard SR300 and Evolis Primacy printers. From the Smart Card Printer dialog the connection to the printer is configured. See the section below for further details on configuring S-Series to use smart card printers. From Options Connections click the Configure button and ensure that Smart Card Printer is selected as in the window below. Then from Options Connections click Smart Card Printer to configure. vsec:cms versasec.com 89(338)

90 Photo Capture It is possible to configure the S-Series to connect to a camera which can be used to take a picture of a user during the smart card issuance process. See the section below for further details on configuring this feature. Important: Version 4.0 of.net Framework needs to be installed on the server where S- Series is installed. From Options Connections click the Configure button and ensure that Photo Capture is selected as in the window below. Then from Options Connections click Smart Photo Capture to configure. vsec:cms versasec.com 90(338)

91 SQL Database The S-Series uses its own internal database which stores information about smart cards registered and managed by the application along with configuration settings. This is a proprietary database. However, if it is required to use a third party database, it is possible to configure the S-Series to connect to a SQL database which can be used to store data for the application. Currently the following data will be stored in the SQL database: Information on the smart cards managed by the application; Information on certificates issued to smart cards managed by the application; Information on transactions performed with the application; Information on the IDs assigned to smart cards managed by the application; Information on the master keys used in the application. Additionally, it is possible to export configurable data from the S-Series to an SQL database. Note: Currently the S-Series will only support the MS SQL database. If it is required to support other SQL database vendors please contact Versasec. Note: It is required to have the SQL native client version provider installed on the host on which the S-Series is installed. Version information is provided in the table below. SQL Native Client Version MS SQL Server 9.0 (SQLNCLI) (SQLNCLI10) 2000, 2005 and (SQLNCLI11) 2005, 2008, 2012 and 2014 It is possible to check what SQL native client (if any) are installed on your server. Open the ODBC Data Source Administrator console and from the Drivers tab you can see the available clients installed. For example, the below screenshot show that version 10 and 11 are available in this example. For detailed instructions on setting up and using this connection please refer to the section below. vsec:cms versasec.com 91(338)

92 User Self-Service From the User Self-Service (USS) it will be possible to configure the connection settings for the USS service. The USS is a SOAP service that runs on the S-Series server and services USS client requests. The Windows service that manages this service is named vsec:cms User Self Service. Important: A minimum of Windows.NET framework 4.0 will need to be installed on the S-Series server for this feature. From Options Connections click the Configure button and ensure that User Self-Service is selected as in the window below. Then from Options Connections click User Self-Service to configure. The dialog below will be shown if the USS feature was not enabled when your provider issued the System Owner operator card. Click the Get challenge button and provide the challenge to your provider as instructed. Your provider should provide a code that should be pasted into the Upgrade field and click the Upgrade button to apply the code and enable the USS connection settings dialog. When this feature is enabled it will be possible to configure the connection settings. vsec:cms versasec.com 92(338)

93 Enable the All adapters checkbox if there are several different network adapters available. The S- Series will listen on all adapters available for incoming connections. Enter the host name of the S-Series server and the port that the server will listen on. Enable the Use SSL checkbox, which is strongly recommended, so that the communication is over SSL/TLS. In the Server connection point section enable the Customized endpoint address and enter the URL that the end point, i.e. the URL that should be configured on the end users client workstation, if the clients are configured to go through a HTTP proxy. From the Server certificate select the server certificate to use for the SSL/TLS. This certificate needs to be available in the MS certificate store for the local machine in the Personal store. Click OK to save the configuration. For further details on using the USS refer to the section below. vsec:cms versasec.com 93(338)

94 Operator Console Service From the Operator Console Service the connection settings for this service are configurable. This service is a SOAP service and is managed by the Windows service named vsec:cms Operator Console Service. The service will allow operators to connect to the S-Series using a client side application console to perform restricted lifecycle management operations. This will mean that operators can connect to the S-Series using a client-server model over HTTP removing the requirement to connect over RDP / Terminal services. Important: A minimum of Windows.NET framework 4.0 will need to be installed on the S-Series server for this feature. From Options Connections click the Configure button and ensure that Operator Console Service is selected as in the window below. Then from Options Connections click Operator Console Service to configure. Enable the All adapters checkbox if there are several different network adapters available. The S- Series will listen on all adapters available for incoming connections. Enter the host name of the S-Series server and the port that the server will listen on. Enable the Use SSL checkbox, which is strongly recommended, so that the communication is over SSL/TLS. vsec:cms versasec.com 94(338)

95 In the Server connection point section enable the Customized endpoint address and enter the URL that the end point, i.e. the URL that should be configured on the operator client s workstation, if the operator clients are configured to go through a HTTP proxy. From the Server certificate select the server certificate to use for the SSL/TLS. This certificate needs to be available in the MS certificate store for the local machine in the Personal store. Click OK to save the configuration. vsec:cms versasec.com 95(338)

96 Plugin API The vsec:cms Plugin API enables integration with the vsec:cms lifecycle processes. The plugins make it possible to customize the smart card management lifecycle processes and add/modify tasks for each lifecycle process, for example, load applets, create and/or edit files on the smart card, generate keys, load credentials and report lifecycle changes to external systems. For full details, including sample code and examples, please contact Versasec. From Options Connections click the Configure button and ensure that Plugin API is selected as in the window below. Then from Options Connections click Plugin API to configure. vsec:cms versasec.com 96(338)

97 RSDM Service From the RSDM Service the connection settings for this service are configurable. This service is a SOAP service and is managed by the Windows service named vsec:cms RSDM Service. The service will allow devices which have Virtual Smart Cards (VSC) managed by the S-Series and which have RSDM service installed on the device to connect to the S-Series thereby allowing for the centralized management of these devices. The communication will be over HTTP(S). See the section below for more details on device management. Important: A minimum of Windows.NET framework 4.0 will need to be installed on the S-Series server for this feature. From Options Connections click the Configure button and ensure that RSDM Service is selected as in the window below. Then from Options Connections click RSDM Service to configure. Enable the All adapters checkbox if there are several different network adapters available. The S- Series will listen on all adapters available for incoming connections. Enter the host name of the S-Series server and the port that the server will listen on. Enable the Use SSL checkbox, which is strongly recommended, so that the communication is over SSL/TLS. vsec:cms versasec.com 97(338)

98 In the Server connection point section enable the Customized endpoint address and enter the URL that the end point, i.e. the URL that should be configured on the operator client s workstation, if the operator clients are configured to go through a HTTP proxy. From the Server certificate select the server certificate to use for the SSL/TLS. This certificate needs to be available in the MS certificate store for the local machine in the Personal store. Click OK to save the configuration. vsec:cms versasec.com 98(338)

99 Variables From the Variable page it is possible to configure the variables and the associated data that can be extracted from the S-Series application. The application is pre-configured with variables of type system, directory or smart card. It is not possible to delete the pre-configured variables. It is possible to change the description of the pre-configured variables by selecting a variable and clicking the Edit button. To add a new variable click the Add button and enter an appropriate name and description. Note: It is only possible to delete variables of type Directory or Smart card. Configure Directory Variables All new variables added will need to be assigned to a directory attribute. For example, to assign a variable of type Directory to an attribute from AD browse to Templates Card Templates and select the specific card template and click Edit. Click the Edit link beside Issue Card and in the User ID Options section, where the Assign user ID is set to an AD, click the Manage button. From the available templates select the template type that points to the required AD and click Edit. Click the Edit button beside Variable(s) and configure the attributes as required. It is possible to test that the application can retrieve the attributes from the directory. The first step is to select a user from the directory. Select the user from the ID Assign dialog by clicking the Get ID button. Then click the Edit button beside Variable(s) and the Test button should be enabled. On clicking the Test button you should see a dialog with returned values from the directory. Configure Smart Card Variables It is possible to configure variable types that can be used to generate customizable identifiers for the smart card tokens that are managed by the S-Series. From the Variables page click the Add button and select Smart card from the first drop down list. Enter a name, label and description for the variable and select Unique number from the second drop down list. Enable the mandatory checkbox if it is required to always generate a smart card ID when managing smart card tokens. Click the Configure button to configure the format that the customizable smart card identifiers will take. vsec:cms versasec.com 99(338)

100 In the Prefix and Suffix fields you can enter a specific value if required. These values will then be set as a prefix and/or suffix value for any smart card token managed by the S-Series. If the number format is set as Hex then the values entered here need to be hexadecimal values and if the number format is set as decimal then the values entered here need to be decimal. Alternatively any character value can be set here if it is preceded with a - or a () characters. For example a prefix of KK- and suffix of -XX would be allowed or (AA) and (BB) would also be allowed. In the Length field enter the number of digits that will be allowed for the customizable identifier. For the Number format select either hexadecimal or decimal for the format that the identifier will take. Select Generate random number if the identifier is to be randomly generated or select Generate incremental number if the format is to be incremental. Depending on what value is entered into the Length field and what number format is selected, information about the maximum number of available identifiers is displayed. The numbers generated indicate how many identifiers have been generated to date. The unique numbers available indicates how many more unique values are available that can be used depending again on what is configured. Click the Test button to see a sample of what the identifiers would look like if the mechanism is used. Enable the Enable generation to enable the generation of customizable smart card identifiers for smart card tokens managed by the S-Series. Enable the Generate new one at each smart card issuance if it is required to generate a new identifier for a smart card token every time that a particular smart card is issued and managed by the S-Series. Enable the Generate new at smart card registration if it is required to generate a unique identifier when a smart card token is registered. If this option is selected and a smart card is subsequently issued then a new unique value will be generated again when the smart card token is issued. vsec:cms versasec.com 100(338)

101 Variable Definitions The table below provides a description of the default variables that are installed as part of the S- Series. Name Csn Description The smart card serial number. RfidCsn The smart card RFID serial number in default representation as hexadecimal. RfidCsnDec The smart card RFID serial number in decimal representation. RfidCsnDecRev RfidCsnHex RfidCsnHexRev CardType UserId UserDn CardState TokenId TokenName OperatorName User CardProcess CurrentTimeStr CurrentTimeLong SelfServicePinUnblockCode SelfServiceUserPassphrase DbCardsCsn DbCardsKeyid DbCardsStatus DbCardsStatusStr DbCardsRfidCsn DbCardsRfidCsnDec DbCardsRfidCsnDecRev The smart card RFID serial number in decimal reversed representation. The smart card RFID serial number in hexadecimal representation. The smart card RFID serial number in hexadecimal reversed representation. The name of the smart card template created. The user ID assigned to the smart card (display name). The distinguished name (DN) of the user. The state that the smart card is in. The operator token ID. The operator token name. The user name of currently logged in operator. The address for the user whose smart card is managed. The smart card lifecycle name that the card is in. The date and time as a string. The date and time as a long integer. The self-service PIN unblock code. The self-service passphrase for the user. The smart card serial number as stored in the database. The master key ID where the current smart card administration key is derived from. The current status of smart card represented as an ID. The current status of smart card represented as a string. The RFID of the smart card as stored in the database. The RFID of the smart card as stored in the database in decimal representation. The RFID of the smart card as stored in the database in reversed decimal representation. vsec:cms versasec.com 101(338)

102 DbCardsRfidCsnHex DbCardsRfidCsnHexRev DbCardsIdDn DbCardsIdDisp DbCardsIdSrc DbCardsLastchanged DbCardsLastchangedStr DbCardsTemplate DbCardsTemplateName DbCardsExpire DbCardsExpireStr DbCardsRfidWiegandCode DbCardsRfidWiegandCardId DbCardsCardType DbCardsCardVersion DbCardsApplets DbCardsPolicies DbCardsUsedPins DbCardsUsedPinsStr DbMKeysKeyId DbMKeysCreated DbMKeysCreatedStr DbMKeysCardsCnt DbMKeysComment DbTLogsId The RFID of the smart card as stored in the database in hexadecimal representation. The RFID of the smart card as stored in the database in reversed hexadecimal representation. The DN of the user as stored in the database, The display of the user as stored in the database. Where the ID comes from (directory, manually input, PAMS). The timestamp as an integer when the smart card status changed. The timestamp as a string when the smart card status changed. The card template ID as stored in the database as an integer. The card template name as stored in the database as a string. The date that the certificate issued to the smart card expires as an integer. The date that the certificate issued to the smart card expires as a string. The RFID wiegand code used as stored in the database. The RFID wiegand ID used as stored in the database. The smart card type as stored in the database. The smart card version information as stored in the database. The smart card applet information as stored in the database. The smart card PIN policy name as stored in the database. The smart card PINs set as an integer as stored in the database. The smart card PINs set as a string as stored in the database. The master key ID as stored in the database. The date that the master key was created as an integer as stored in the database. The date that the master key was created as a string as stored in the database. The number of smart card issued using the master key as stored in the database. The comment entered to describe the master key as set when creating the master key as stored in the database. The transaction log ID as stored in the database. vsec:cms versasec.com 102(338)

103 DbTLogsTime DbTLogsTimeStr DbTLogsTokenId DbTLogsOperator DbTLogsAction The date that the transaction log occurred as an integer as stored in the database. The date that the transaction log occurred as a string as stored in the database. The ID of the E-Edition token used as stored in the transaction log. The operator who performed the transaction as stored in the database. Internal S-Series comment describing the transaction performed. DbTLogsData Internal S-Series additional information about the transaction performed. DbTLogsCsn DbTLogsBatchId DbTokensTime DbTokensTimeStr The smart card serial number for the smart card who the transaction was performed on. The batch job ID if the transaction was performed as part of a batch job. The date as an integer that the S-Series token was added. The date as a string that the S-Series token was added. DbTokensTokenId The ID of the operator token used when using the E- Edition. DbTokensComment DbTokensName DbTokensCsn DbBatchId DbBatchType DbBatchStarted DbBatchStartedStr DbBatchEnded DbBatchEndedStr DbBatchProcess DbBatchOperator DbBatchCntSucc DbBatchCntFail DbBatchCntAll DbBatchFileName DbBatchFileHash Internal description of transaction performed when using the E-Edition. The name of the E-Edition used when the transaction was performed. The card serial number of the E-Edition used. The batch job used ID. The type of the batch job. The date as an integer when the batch job was carried out. The date as a string when the batch job was carried out. The date as an integer when the batch job ended. The date as a string when the batch job ended. The lifecycle processes that the batch job carried out. The operator who performed the batch job. The number of successful batch jobs performed in the batch job. The number of unsuccessful batch jobs performed in the batch job. The total number of jobs in batch job. The name of the batch job file used. The hash of the batch job file used. vsec:cms versasec.com 103(338)

104 DbBatchComment Comment describing the purpose of batch job. vsec:cms versasec.com 104(338)

105 Operators It is possible to configure the operator(s) of the S-Series from the Options Operators page. Note: When the S-Series is created, typically by a smart card vendor distributor, the distributor will issue what is referred to as a System Owner operator token. This operator will be able to perform all CMS operations. It will not be possible to change the roles configured for this operator. Note: Only an operator with System Administrator role can activate, deactivate, edit or delete another operator. From this page it is possible to configure the operators that are allowed to perform operations with the S-Series. Additionally it is possible to configure the EA signing certificate that can be used for signing user certificate requests when performed through the USS. Each operator will be listed in the table as in the sample below. The ID is an internal identifier for the operator in the system. The Name is the name of who the operator was issued to. The System Owner operator card will always be named System Owner. The Roles(s) list all of the role(s) assigned to this operator. The CSN is the card serial number for the particular operator card. The #of keys is the number of registered authentication keys on an operator s token which will be used when operator s log onto the S-Series. The Registered at is the time and date when the operator card was created on the system. The Last logon at is the time and date when the operator last logged onto the system. A number of configuration options are available from here. Certificate Request Signing Click the Cert request signing button to open the dialog below. vsec:cms versasec.com 105(338)

106 From this dialog the EA certificate that can be used for signing certificate requests from clients using the USS will be configured. Select the CA to be used from the Certification Authorities drop down list. Summary information about the CA selected will be shown in the window below the selected CA. From the Certificate(s) drop down list select the EA certificate that will be used. The S-Series will present the certificate(s) it finds from the Windows certificate store for the Windows user account that the S-Series service is running under. The corresponding private key will need to be available. If an HSM is used to store the private key for the EA then the HSM will need to support MS-CAPI/CNG. Important: It is required that the S-Series service is configured to run under a specified Windows user account in this type of setup. This will add higher level of security as only the specified Windows user account will have access to the EA certificate. Refer to the section below for details on how to configure the S-Series service to run under a specified Windows user account. Important: It is required that the certificate that is selected here is an EA certificate type otherwise the certificate issuance will be rejected by the CA. Click the Test button to check that the certificate can be used to sign certificate requests. Click the View button to see additional information about the selected certificate. Enable the Check certificate validity before signing if you want the S-Series to check the certificates validity. Enable the Stop card issuance before expiry date to set the number of days before the expiry of the EA certificate that will result in the failure for any certificates being issued inside this period. Enable the Warn before stop and enter the number of days before the stop criteria becomes affective which will result in a warning being shown in the system health. Update Keys It is possible to update the S-Series with the authentication key(s) used to authenticate an operator when logging on in as a client. If a new key is added to an operator s card a logged on operator can add the new authentication key for this operator by selecting the operator from the table and attaching the operator s card to the system. vsec:cms versasec.com 106(338)

107 Add Service Key Store From the Add service key store dialog the operator service wizard will setup the operator service key store that will be used for USS operations. See this section in this document for further details. Details Select an operator and click the Details button to retrieve more information about the operator selected. The Name field is the name of who the operator is assigned to. The Created field is the time and date that the operator was created on the system. The CSN is the card serial number for the operator card. The Reader is the reader name that the operator card is attached to. The Status is the current status for the operator. Additional information is provided in the window below the fields already described. Activate Select an operator from the table and click the Activate button to activate an operator if it is inactivated. Inactivate Select an operator from the table and click the Inactivate button to inactivate an operator if it is required. Edit The Edit dialog will allow operators who have the appropriate permissions to add/remove roles for an operator. Select an operator from the table and click the Edit button to adjust the role permissions for the selected operator. vsec:cms versasec.com 107(338)

108 PIV This section will describe how the S-Series can be used to manage PIV smart cards. Note: It is possible to manage the following PIV smart cards using the S-Series: Gemalto IDPrime PIV; Oberthur ID-One PIV; Yubico YubiKey PIV; Taglio PIVKey. Important: Please note the following: The Federal Agency Smart Credential Number (FASC-N) and printed information is not managed. This feature is not yet fully implemented in the S-Series. Currently the S-Series will write a fixed hard coded value to this field; It is not possible to manage an iris record on the PIV smart card. This feature is not yet fully implemented in the S-Series. Currently the S-Series will write a fixed hard coded value to this field; It is not possible to manage a fingerprint record on the PIV smart card. This feature is not yet fully implemented in the S-Series. Currently the S-Series will write a fixed hard coded value to this field; It is not possible to manage a photo record on the PIV smart card. This feature is not yet fully implemented in the S-Series. Currently the S-Series will write a fixed hard coded value to this field; It is not possible to unblock the smart card using challenge-response. It is only possible to unblock the smart card using PUC. PIN unblock using challenge-response is not support by the PIV smart card; It is not possible to import root CA certificates onto the smart card. This is a feature of the PIV smart card; There is no default key container on the smart card. This is a feature of the PIV smart card; It is not possible to configure the PIN policy on the smart card. The PIN policy is set on the smart card during the perso process as carried out by the manufacturer. This is a feature of the PIV smart card; In order to perform PUC unblock with this card the user self-service application can be used. Self-service PIN unblock will not be possible due to the limitation that the card can only be unblocked using PIN PUC; For Oberthur ID-One PIV it is required to have the Oberthur Technologies PIV NIST Device minidriver installed on the machine where you manage the token from. Secure Messaging Secure messaging provides end-to-end security for the communication between the smart card and off-card entity, the S-Series in this case, by adding confidentiality, integrity and authentication to the APDU transactions for the smart card. This feature is supported for the PIV cards supported by the S-Series. In order to use this feature it will be necessary to configure the keys used to establish the secure channel for the secure messaging. Key usage here is implemented based on the global platform specification. From the Options Smart Cards page select the PIV card and click the SM Key(s) button to configure secure messaging keys. Depending on the card type used the S-Series uses the default factory keys used for establishing secure messaging channel. If these values are not the default value then it will be necessary to change the values here. Please consult with your provider if the keys are not the default values. The keys configured here are based on the global platform specification. vsec:cms versasec.com 108(338)

109 Device Management This section will describe how the S-Series can be configured to allow for the central management of devices where VSCs can be managed for these devices. If this feature is to be used it is necessary to Enable automatic device registration checkbox. For the Trusted certificate(s) section enable the Filter for key usage checkbox which will configure the S-Series to check the device certificate that is sent from the client to the server via the vsec:cms RSDM service. The certificate key usage can be checked to ensure specific key usage is set for the device certificate. For example, if the filter is set to 128 (decimal) in the Must have field this means that the certificate should have key usage of digital signature. It is possible to add the root or sub CA certificate of the issuer CA to validate that the device certificate is issued from the same CA. Click the Add button and select the root or sub CA to get the issuer information. The setting Import device certificates to vsec:cms managed certificates repository is for future functionality and shown here for information purpose only. In the Device name section it is possible to configure specific information about the name for the device if required. If it is required to have a specific name for the specific device, where the device name is stored in registry on the device, enable the Read device name from registry check box and enter the path to the registry key. The registry key will need to be in HKEY_LOCAL_MACHINE. For example, if the device name registry key was: HKEY_LOCAL_MACHINE\device\mydevicename Then you would enter in the Registry key field: device\mydevicename Where mydevicename is the key that stores the device name. This key should be of type String. Alternatively, you can read the device name from system environment variable. The variable needs to be a System variable in this case. In the UDP Broadcast Setting enable the Use computer name which will result in the server side sending the UDP broadcast message only to the device hostname that was used during the registration of the device. Enable the Use broadcast address and enter an IP address in the field vsec:cms versasec.com 109(338)

110 provided. It is possible to enter lists of IP addresses that you want the broadcast message to be sent to. For example if your client devices are in a and range then all clients with an IP address of XXX or XXX will receive the broadcast message. In this case the IP addresses should be separated by ; (semi-colon) character. If the Use computer name and Use broadcast address check boxes are enabled the S-Series will first try to send a broadcast message to the computer device that is selected. If this fails for whatever reason then the S-Series will send a broadcast message to every computer device in the IP range configured in Use broadcast address. The broadcast packet will contain the device ID which each device will then check to see that the device ID matches their ID and only the device that has the corresponding device ID in the packet will send a response to the server requesting details on what it needs to perform. Click the Test button to perform a test UDP message. This can be useful when troubleshooting a communication issue. For example, a device that was registered as paul- PC.VERSATILESECURI.local and which is listening on port 8002 would be set as below when the Test button is clicked. On clicking Ok if the message is successfully sent you will see a success dialog like below. On the client device in the event viewer you will see an entry similar to below indicating that the communication channel is functional as required. vsec:cms versasec.com 110(338)

111 Roles It is possible to configure what roles, or operations, that an operator can perform from the Roles page. These operations encompass smart card lifecycle operations and restricting what configurations an operator can carry out in the S-Series. Default Role Settings The default roles that an operator can perform in the S-Series are provided in the table below. The operations that an operator can be restricted to are: Viewable+Execute (V+E): the operator can view and perform the particular operation. Viewable (V): the operator can only view the particular operation. Hidden (H): the particular operation will be hidden from the operator. Role Menu System Admini strator Elevated Normal Restricted Key Recovery All the menu options available from the S-Series can be restricted depending on what role the operator is assigned. Home V+E V+E V+E V+E H Lifecycle V+E V+E V+E V+E H Actions - Smart Card Unblock Online Actions - Smart Card Unblock Offline Actions - Smart Card Unblock - Self Service Actions Temporary Smart Card V+E H V+E V+E H V+E H V+E V+E H V+E H V+E V+E H V+E H V+E V+E H Actions - PIN Policies V+E H V+E V+E H Actions Certificates/keys V+E H V+E V+E H Actions - Print Card V+E H V+E V+E H Actions - Update Smart Card V+E H V+E H H Actions - Virtual Smart Card V+E H V+E H H Actions Smart Card Information V+E H V+E V+E H Repository - Smart Cards V+E H V+E V+E H Repository - Transaction Log V+E H V+E V+E H Repository - Master Keys V+E H V+E V+E H Repository - Archived Keys V+E H V+E V+E V+E Repository Messages V+E H V+E V+E H Repository - Tokens Repository V+E V+E H H H vsec:cms versasec.com 111(338)

112 Repository Smart Card Transfer V+E H H H H Repository - Batch Processes V+E V+E H H H Repository Reports V+E V+E H H H Templates - Card Templates V+E V+E V+E V+E H Templates - PIN Policies V+E V+E V+E V+E H Templates - BIO Policies V+E V+E V+E V+E H Templates - Card Layouts V+E V+E V+E V+E H Options License V+E V+E H H H Options - Operator Token Management V+E V+E H H H Options Security V+E H H H H Options - Settings V+E V+E H H H Options - Smart Cards V+E V+E H H H Options PIV V+E V+E H H H Options - Master key V+E V+E H H H Options Connections V+E V+E V+E V+E H Options Variables V+E V+E V+E V+E H Options Roles V+E H H H H Options Operators V+E H H H H Options Repository V+E H H H H Process For each process that an operator can perform from the Lifecycle page it is possible to restrict what operation they can perform. Destroy Virtual Card V+E V+E H H H Register Card V+E H V+E H H Unregister Card V+E H V+E H H Issue Card V+E H V+E H H Initiate Card V+E H V+E V+E H Delete Card V+E H V+E H H Revoke Card V+E H V+E H H Retire Card V+E H V+E H H Inactivate Card V+E H V+E H H Activate Card V+E H V+E H H Lock Card V+E H V+E H H Unlock Card V+E H V+E H H Update Card V+E H V+E H H vsec:cms versasec.com 112(338)

113 Perform Batch Process V+E H V+E H H Create Virtual Card V+E V+E H H H Task Tasks are the configuration tasks that an operator is allowed to perform. Options - Variables Edit V+E V+E H H H Card Templates Modify V+E V+E H H H Card Templates Export V+E V+E V+E V+E H Card Templates Save V+E V+E V+E V+E H Modify Connector Settings V+E V+E H H H Configuration Wizards V+E V+E H H H Modify Repository Settings V+E V+E H H H Configure Repository Columns V+E V+E V+E V+E H Key Archival Recovery V+E H H H V+E Key Archival - Delete Archived Key User Card Certificates Delete V+E H H H H V+E H V+E H H User Card Certificates Issue V+E H V+E H H User Card Certificates Reissue User Card Certificates Import User Card Certificates Default User Card Certificates Recover User Card Certificates - Issue - Choose ID V+E H V+E H H V+E H V+E H H V+E H V+E H H V+E H H H V+E V+E H V+E H H PIN Policies Set V+E H V+E H H BIO Policies Set V+E H V+E H H User Card Print V+E H V+E H H Repository - Copy Clipboard V+E H V+E V+E H Repository - Import vsec:cms K-Series Repository - Import Card Transfer Repository - Import Gemalto DAS/IDADMIN 100 V+E H H H H V+E H H H H V+E H H H H Repository - Edit Card Data V+E V+E H H H vsec:cms versasec.com 113(338)

114 Operator Token Clone V+E V+E H H H Operator Token Revoke V+E V+E H H H Operator Token - Check for Updates V+E V+E V+E V+E H Data Export V+E V+E V+E V+E H Save Diagnostic trace V+E V+E V+E V+E H Self-Service Access - Generate Unblock Codes Self-Service Access - Reset User Passphrases V+E H V+E V+E H V+E H V+E V+E H Configure Roles The operations that an operator can perform are configurable from the Options Roles page. The roles that an operator can have are System Administrator, Elevated, Normal, Restricted and Key Recovery. If it is required, for example, to change the default permissions set for a role of type Restricted, browse to Options Roles page. Select the role from the Role drop down list and click Edit. Note: To reset the permissions to the default settings click the Reset all permissions button. Note: It is possible to clone an existing role by clicking the Clone button. The new cloned role can then be configured with specific permissions as required. By default, the role Restricted is limited to unblock operations. If it is required to allow this role to perform smart card register operations, select the Register Cards action and click Delete. Then select the Register Cards, as shown, and from the drop down list select the Viewable+Execute option and click the Add button to set this permission for Restricted role. Click the Save button to complete. vsec:cms versasec.com 114(338)

115 vsec:cms versasec.com 115(338)

116 Repository Views The S-Series application maintains detailed repositories for operations performed. This section will describe the different repositories. Transaction Log Transactions performed with the S-Series can be viewed from this page. If there is a registered end user smart card attached the transaction log dialog will show the card serial number of the inserted end user smart card in the upper right corner and show only the actions for this end user smart card. If there is no user smart card attached the dialog shows all actions performed with the S-Series. If the Clear filter button is enabled, clicking this button will show all actions performed with the S-Series. Clicking the Copy button will copy the content of table into the system clipboard. This repository table will provide the following details by default: Time: the time and date that the transaction took place. Operator: the operator who performed the operation. CSN: the smart card serial number. Comment: brief description about the transaction carried out. It is possible to customize the table columns presented in this table. Please see the section below for further details. Smart Cards The Smart Cards repository view displays the end user card(s) managed by the S-Series. It is possible to filter the search by entering an Assigned ID into the Filtered by ID field. If the operator attaches a registered user smart card to the system, the screen shows the repository entry for the inserted user smart card only. It is also possible to filter the repository by the card templates that the user smart cards have been issued with. The Clear filter option will show all user cards in the repository. If the operator selects one entry from the list and clicks Trans. log(s) button, the Transaction Log option will be shown with the transactions for the selected user card. Click the Advanced filter button to perform advanced search filters. Select either Apply filter on individual directory fields or Filter on invalid or missing user records. If the filter selected is Apply filter on individual directory fields then you can enter a filter in the filter field. For example, if it is required to find all users who have been issued with smart cards that have an address domain of versasec.com, simply enter versasec.com into the filter field. Only S-Series variables that have been assigned to directory attributes will be available here. If the filter selected is Filter on invalid or missing user records then the S-Series will search all records and any user who has been issued with a smart card where the user s DN is not valid anymore will be reported. Click the Copy button to export the content of this table into the system clipboard where it can be saved to a file. It is possible to make adjustments to the user s DN for a user from this page. The user s DN is used by the S-Series to uniquely identify them in the system. Scenarios may arise where a user is moved from one organizational unit to another, thereby meaning that their DN will change. Click the Fix ID button to change a user s DN as is stored in the S-Series. Follow the instructions below to make the change. Select a user from the Smart Cards table and click the Fix ID button. Details about the smart card, the smart card type and the current DN that the user is associated with are shown. Click the Verify button to verify whether the current user DN as saved in the S-Series is valid. If the user s vsec:cms versasec.com 116(338)

117 DN has changed click the Get ID button and search for the user who s DN has changed or type in the user s DN and click the Verify to verify that the DN is correct. Click Ok to update the S-Series database for this user s DN. The process status of the user smart card can be changed from this screen. An operator can select an entry and depending on the current status of the card it is possible to change the status to Activate, Inactivate, Revoke, and Delete. This table will provide the following details by default: ID: a unique identifier for the repository entry. Last Action at: the time and date that the last action with performed by the S-Series on the smart card. CSN: the smart card serial number. RFID: the RFID smart card serial number if the card has an RFID chip that is managed by the S- Series. Wiegand: the wiegand code ID if the card has an RFID chip that is managed by the S-Series. Key ID: the master key identifier of the master key used to diversify the user smart card administration key. Assigned ID: the identifier, if any, assigned to the user smart card. Template: the smart card template set to the user smart card. Status: the current process status that the user smart card is in. It is possible to customize the table columns presented in this table. Please see the section below for further details. Archived Keys The Archived Keys repository view display the archived keys created by the S-Series. The table of archived keys provides the following details by default: ID: the identifier of the key as stored by the S-Series. Created at: the time and date that the archived key was created. User DN: the user DN that the archived key was issued to. Card Template: the card template that was used to issue the archived key. Cert Template: the certificate template used when issuing the archived key. It is possible to customize the table columns presented in this table. Please see the section below for further details. Master Keys The Master Keys repository view shows the master key(s) used by the S-Series. If an entry is selected in the list and the operator clicks View smart card(s) button the Smart Cards repository view will be shown with information about the user smart cards registered with the selected master key. Click the Copy button to export the content of this table into the system clipboard where it can be saved to a file. This table will provide the following details by default: Key ID: the identifier for the master key(s) created by the S-Series. Created at: the time and date that the master key was created. User smart cards: the number of user smart cards registered with the master key. vsec:cms versasec.com 117(338)

118 Comment: a description message to describe the master key. It is possible to customize the table columns presented in this table. Please see the section below for further details. Smart Card Transfer From this page it is possible to migrate registered user smart cards from other smart card management systems. Currently, it is possible to migrate from the following CMS systems: MS Forefront Identity Manager Certificate Manager (FIM CM); Versasec vsec:cms K-Series; Gemalto DAS / IDAdmin 100. FIM CM Transfer Follow the instructions in this section to perform a migration from FIM CM. Note: It will be necessary to generate an encryption key that should be used when exporting the registered smart cards from FIM CM. Click the Import button to select a PKCS#12 file that contains the encryption key that was used to encrypt the FIM CM exported smart card data file, or, click the Create New Encryptor button to generate an encryption key. If the Create New Encryptor button is clicked to generate an encryption key, then this key will remain on the operator token and will never leave the token. Click the Copy button to get the public encryption key. This key will be used to encrypt the smart card data when exporting the smart card data from FIM CM. If the Import button was selected from the previous step, browse to the location of the PKCS#12 file and enter the password and key type. The Container field will automatically be generated by the S-Series and is used as an identifier. On clicking the Import button, the operator will be prompted to enter their passcode to complete the import. After exporting the smart cards from FIM CM, the generated transfer file will be saved as an.sctf (smart card transfer file) file. Browse to the location of the transfer file. Click the Import button and enter the operator passcode to progress to the next stage of the transfer. From the next dialog enable the Filter on user directory location and select the directory tree, which is required to be imported. The number to the left of the directory tree is the number of entries in the particular tree. The figure under the Available heading is the total number of entries in the imported file. The figure under the Validated heading is the total number of entries validated in the imported file. The figure under the New cards heading is the total number of new user card entries in the imported file that are currently not present in the S-Series. The figure under the Selected heading is the total number of entries selected that will be imported. The figure under the Available licenses heading is the total number of licenses that currently exist on the S-Series. The figure under the Invalid heading is the number of invalid entries read from the imported file. The figure under the To update heading is the number of entries read from the imported file that will be updated if the import is performed. The figure under the Ignore heading is the number of entries that have been ignored when read from the imported file. From the next dialog enable the Filter on smart card state and select the card states that are to be imported. The number to the left of the card state is the number of entries in the particular state. vsec:cms versasec.com 118(338)

119 From the next dialog the selected user s card details will be presented before they are imported. Uncheck the Import box for any smart card that is not to be imported. From the final dialog it is possible to export a report for the imported data by clicking the Export button as shown in this example. vsec:cms K-Series Transfer If the vsec:cms K-Series is used to manage an organizations smart cards and it is required to upgrade to the S-Series, this migration can be performed from the vsec:cms K-Series section. During the migration from the vsec:cms K-Series to the S-Series the following operations will be performed: The S-Series will import smart cards, transaction logs, PIN policies and master keys from the vsec:cms K-Series; The S-Series will remove the transferred smart cards from the vsec:cms K-Series repository and decrease the license count on the vsec:cms K-Series by the number of cards transferred; The imported smart cards will be assigned to a newly created card template and set the smart card status to active; PIN policy and master key migration will only be transferred on the first migration from a K- Series instance; Smart card specific transaction logs will only be transferred for registered cards that are imported, for example, if an operator of vsec:cms K-Series registers and then unregisters smart cards in vsec:cms K-Series, those transaction logs will not imported; If the vsec:cms K-Series is used again after the migration, it is possible to perform another migration. If, however, the master key on the vsec:cms K-Series is changed, then any smart card registered using this new master will not be migrated if a migration is attempted. Note: In order to perform a migration the operator will need to have access to the vsec:cms K- Series database file; possession of the vsec:cms K-Series operator smart card and knowledge of the vsec:cms K-Series passcode. The vsec:cms K-Series needs to be in Secure System Mode to perform a migration. Click the Proceed button to begin the work flow. Click the Browse to browse to the location of the vsec:cms K-Series database file that is to be migrated. If the vsec:cms K-Series operator smart card is not attached to the system that the S-Series is running on the operator will be informed to insert the smart card. On inserting the vsec:cms K-Series smart card, information about the smart card(s), transactions logs, master keys and PIN policies set in the vsec:cms K-Series will be displayed. Enter the vsec:cms K-Series operator passcode and click the Import button to start the migration. Enter the S-Series operator passcode when prompted. Gemalto DAS / IDADMIN 100 It is possible to migrate smart cards managed by the Gemalto DAS / IDADMIN 100 (referred to as DAS in this document) smart card management tool to the S-Series. This section will describe the steps to be carried out in order to migrate from DAS to S-Series using a CSV file. It is required that the VS DAS MT Administration Guide.pdf document be referred to in order to create the CSV file that will be used to migrate DAS managed smart cards to the S-Series. Prerequisites It will be necessary for the S-Series operator to have possession of the DAS controller smart card and knowledge of this controller smart card PIN. vsec:cms versasec.com 119(338)

120 The smart cards registered with the DAS tool will need to be added to a CSV file which will be used by the S-Series during the migration flow. It is assumed that the required smart card information is already captured in a CSV file ready to be imported using the migration steps as described below. Migration Steps Follow the steps in this section to perform the migration. From the Repository Smart Card Transfer page click the Proceed button in the Gemalto DAS section. If it is required that the card information for DAS managed cards are to be sent from the end users workstation using the vsec:cms USS application then click the Auto collect button. From this dialog it is possible to enable the auto collection through the USS. When a smart card user attaches a DAS managed smart card to their workstation where the USS application is running in the system tray the enabled information will be sent to the S-Series. Enable the Collect windows logon credentials if the logged on users Windows domain username credential is to be sent. It is important to note that this will be the current logged on user domain credential that will be sent. Enable the Collect certificate UPN field(s) to send the users UPN retrieved from the user certificate if one exists on the smart card. Enter or browse to the location on the server where the information will be sent into the Folder to store collected data field. Enable the Show message to the user when data has been collected if the user should be presented with a message informing them that the DAS managed card details have successfully been sent to the server. With the DAS controller smart card attached, enter the PIN for the controller smart card. Browse to the CSV file that contains the required information about the smart cards registered to the DAS tool (see the prerequisites section above) and select the separator used in the CSV file. Click the Proceed button to continue. Enter the S-Series operator passcode. From the Step 1 dialog enable the Filter on user directory location and select the directory tree, which is required to be imported. The number to the left of the directory tree is the number of vsec:cms versasec.com 120(338)

121 entries in the particular tree. The figure under the Available heading is the total number of entries in the imported file. The figure under the Validated heading is the total number of entries validated in the imported file. The figure under the New cards heading is the total number of new user card entries in the imported file that are currently not present in the S-Series. The figure under the Selected heading is the total number of entries selected that will be imported. The figure under the Available licenses heading is the total number of licenses that currently exist on the S-Series. The figure under the Invalid heading is the number of invalid entries read from the imported file. The figure under the To update heading is the number of entries read from the imported file that will be updated if the import is performed. The figure under the Ignore heading is the number of entries that have been ignored when read from the imported file. From the Step 2 dialog enable the Filter on smart card state and select the card states that are to be imported. The number to the left of the card state is the number of entries in the particular state. From the Step 3 dialog, the selected user s card details will be presented before they are imported. Uncheck the Import box for any smart card that is not to be imported. A short summary will be presented. Click Yes to continue. From the Step 5 dialog, it is possible to export a report for the imported data by clicking the Export button. Click close to complete the migration. Batch Processes The Batch Process repository view displays the end user card(s) that have been batched registered and/or issued with the S-Series. Select a batch from the list and click the View details button to view specific details about the particular batch process. Clicking the Copy button will copy the content of this table into the system clipboard. This table will provide the following details by default: Batch ID: the batch ID for the particular batch job. Executed at: the time and date that the batch process was performed. Executed by: the operator who performed the operation. Process: the process(es) actually performed. # of cards: the number of smart cards batch processed for the particular batch. Comment: an additional comment for information purposes. It is possible to customize the table columns presented in this table. Please see the section below for further details. If an entry is selected and the View details button is clicked a dialog with additional information will be presented as described below. If a smart card that has been batch processed is attached to the system that the S-Series is running on only entries for that particular card will be shown. In order to view all batch operations click the Show all button. Clicking the Copy button will copy the content of this dialog into the hosts system clipboard. The Process(es) provides details on what process(es) have been applied during the batch. CSN: the smart card serial number. User ID: the specific user that the smart card is assigned to. Card template: the specific card template that was applied to the smart card. Result: indicates whether the operation was successful or not vsec:cms versasec.com 121(338)

122 Executed at: the date and time that the operation was performed. If an entry is selected from the previous dialog and the Result button is clicked, additional information about the particular smart card that was batch processed will be provided. Reports From the Reports page it is possible to configure advanced reporting that will allow operators to create report templates that can be used to generate reports from the S-Series. Reports can be used to, for example, retrieve information about smart cards issued and managed by the S- Series. Operators may wish to generate reports on all smart card issued and in an active state for example. Follow the instructions below to configure report templates. The instructions below will demonstrate how to create a report that will retrieve all issued smart cards that have been issued with an address whose domain is versasec.com and whose state is in an active state. From the Repository Reports page click the Manage button to start creating a report template. Click the Add button. Enter a template name and enter a description to describe the report that this template is to be used for. Click the Configure query button to configure specific data that is required to be retrieved. Click the Configure directories button. From the Available window select the available variables and click the add button to move the variable to the Selected window. In this example the variable ${User } is assigned to the directory attribute mail and ${UserJobtitle} is assigned to the directory attribute title. On selecting the variable from the Selected window the LDAP query string will be available in the LDAP query window. It is possible to edit this and enter the LDAP query string required for the data to be returned. For example, if it is required to retrieve all users who have been issued with smart cards who have an address of specific domain AND who have a job title of Nurse then select both variables from the Available window and move them to the Selected window. Then select an entry in the Selected window and the LDAP query string will be displayed in the LDAP query window. The syntax will be: ( (${UserJobTitle}=Doctor)(${User })) Which means that a user s address OR the user s job title will be retrieved. We want to retrieve only user s address who have a specific domain name AND a specific job title, therefore the LDAP query should be changed to: (&(${UserJobTitle}=Doctor)(${User })) Click OK to save. Note: For LDAP queries it is important to make sure that the LDAP is not restricted to a search limit otherwise all data may not be retrieved when running reports. This is highlighted here for information purposes and not the responsibility of the S-Series application. From the resultant dialog the selected attribute that we want to use is now added as a query field. It is possible to enter text into the Filter field. In this example the report will search for all addresses for all user smart cards that have been issued to versasec.com, therefore we add versasec.com into the Filter field. Click the Configure CMS repository button and from the Available window select the variable ${DbCardsStatus} and click the add button to add it to the Selected window and click OK to save. Click the Filter field for the variable ${DbCardsStatus} just added. This will open a selection dialog. All the status checkbox states are selected but greyed out by default which means that the vsec:cms versasec.com 122(338)

123 query will search for all smart card states regardless of what state the smart card is in. Click the Initiated checkbox until the checkbox is not greyed out and enabled since it is required that the filter searches for all smart cards in an active state and click OK to save. The Filter field for this Query Field will now say Must Active. Click OK to save. Click the Configure result fields to configure what columns will be created in the report. The Style sheet file can be used to import an XSL style sheet for your specific requirements. By default a generic XSL style sheet is incorporated. This can be replaced by clicking the Import button. Click the Save default button to export the default XSL style sheet from the system. Click the Reset to default to restore the system to the default style sheet at any time. From this dialog the columns that are required to be populated by the report are configured. In this example report we will create the following columns: User s Display Name which will be associated with the available variable name ${DbCardsIdDisp}; User s DN which will be associated with the available variable name ${DbCardsIdDn}; User s Address which will be associated with the available variable name ${User }; Smart Card Status which will be associated with the available variable name ${DbCardsStatusStr}; Date Card Active which will be associated with the available variable name ${DbCardsLastchangedStr}. Select the variables added to the Selected window and in the Column Title enter the name that will appear as the column title in the report. Click OK to save. From the Reports page select the template created and click the Generate button to generate the report. Depending on the number of records in the system the report generation can take some time. System Logs The System Logs page displays system specific events for the S-Series. The events that are captured here are service stop and start events, operator events such as login events and failed operator login events. The system logs table will provide the following details by default: ID: a unique identifier for the repository entry. Time: the time when the operation was performed. Operator: the operator who performed the operation. Computer: the host computer name where the operation was performed from. Action: the actual operation that was performed. Data: the CSN of the operator who performed the action. It is possible to customize the table columns presented in this table. Please see the section below for further details. Managed Devices From the Managed Devices page it is possible to manage devices that have Virtual Smart Cards (VSC) that are managed by the S-Series. This allows for the centralized management of devices that are issued with VSC and managed by the S-Series. vsec:cms versasec.com 123(338)

124 Before describing the details on how to configure the centralized device management of VSC it is important to understand the philosophy behind centralized device management. As VSC reside on a physical device, such as laptop or tablet, it becomes important to be able to manage the device in a secure manner in relation to the end user who the VSC is to be issued to. Using a centralized device management model, it is possible for S-Series operators with the appropriate role to manage devices that are allowed to be issued with VSCs. In order to be able to use the centralized device management model each TPM enabled device in your organization that is to be issued with a VSC needs to be installed with the vsec:cms Remote Service Device Management (RSDM) service and the vsec:cms User Self-Service (USS) application (see below for details on USS). The RSDM will require administration rights to install as this is a Windows service. Additionally, a registry key will need to be set on the device which points to the S-Series RSDM service i.e. the vsec:cms RSDM Service. The registry key needs to be set in the below location on the device for 64 bit OS: [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Versatile Security\vSEC_CMS_RSDM\Service] The registry key needs to be set in the below location on the device for 32 bit OS: [HKEY_LOCAL_MACHINE\SOFTWARE\Versatile Security\vSEC_CMS_RSDM\Service] The registry key name is soap.server.url and should be type String. For example if the S-Series server host name is myserver.example.com and the RSDM is configured for HTTP and the port configured is 80 the value would be: Additionally it is possible to set this registration key by passing in a parameter to the installer. For example, run the installer from a command prompt as below: > vsec_cms_rsdm.exe /url=" Where <server_host_name> is the host name of the server where the S-Series is installed and <port> is the port number of the RSDM service configured in the S-Series. If it is required to do a silent install of the RSDM service then from a command prompt run the installer as below: > vsec_cms_rsdm.exe /url=" /S Where <server_host_name> is the host name of the server where the S-Series is installed and <port> is the port number of the RSDM service configured in the S-Series. Once the RSDM is installed and configured on the device the service will send a SOAP message to the S-Series informing it that the device is available to be managed. An operator will then need to select the device in the repository table and send an Execute message to the device informing it that the device can now be created and issued. By default, the RSDM service on the client device will be polling on the server to check if an Execute message has been initiated by an operator. Once the RSDM service on the client retrieves the Execute message it will then process the request and start the issuance process. Alternatively, the RSDM service on the client device can be configured to use a UDP broadcast notification to be sent from the server side as a push notification. This will mean that the client device will wait until it receives a push notification from an operator before it will begin the issuance flow. If this is configured, then the RSDM polling mechanism on the device will be disabled. On the S-Series from the Repository Managed Devices page the view would be similar to below when a device is registered on the server. vsec:cms versasec.com 124(338)

125 Click the Refresh button to update the table with devices that may be added to the system. Select an entry from the table and right click to get access to various options. These options are: Issue Select this option if it is required to initiate a VSC issuance operation on the selected device which will result in the device receiving a message thereby allowing the device to start an issuance. Retire Select this option to perform a VSC retire operation which will result in all VSC on the device being retired from the S-Series along with all certificate(s) on these VSCs being revoked on the CA. Delete Select this option to delete the VSC from the system. This will only delete the VSC from the S-Series. The VSC will need to be manually removed from the device if required. Clear cache - remove cache messages that have been cached on the server side. A message will be cached if the device was not online to receive the message. Repository: Smart Cards this will open the Card Repository page for the VSC(s) issued to the device. Repository: Device Management Logs this will open the complete history from the Device Management Logs repository. Details this will display more detailed information about the VSC. See below for more details on this. Various details, as in the example below, are displayed. The Device ID is the unique identifier for this device in the S-Series. The Computer name is the full name of the device as retrieved from Windows. The device name is the name of the device as retrieved from Windows. The Device status shows the current status of the device. The Online status provides real-time status for the device if it is currently on line or not. The Assigned user ID is the Windows user who the device is first issued to. The Assigned user DN is the full DN of the Windows user who the device is first issued to. The Device registered is a timestamp when the device was first registered. The Assigned to user is a timestamp of when the device was first assigned to a user. The Last seen online is a timestamp of when the device was last online. The Last message sent is a timestamp of the last time a message was sent from the server to the device. The Authentication keys is the number of authentication keys that have been saved in the S-Series database that meet the criteria as configured in Options Device Management for Trusted certificates. This information is stored now for information purposes and will be used in later versions to perform client authentication when managing devices. The Device type provides information about the device operating system. Currently only Windows is supported therefore the value will be set to 1. The Pending messages are the number of pending messages that are due to be sent from the S- Series to the device. The Virtual Smart Cards section list the VSC serial number and the information about the status of the VSC, for example, below the VSC has been issued and assigned with a certificate for the user as indicated. Any other additional VSC that are managed vsec:cms versasec.com 125(338)

126 for the particular device will be listed here. The Authentication key(s) will list information about the authentication keys that will be used in future version of S-Series to authenticate the client devices. Click the Copy button which will copy the contents of the table into the system clipboard. The contents can then be copied into a text editor and saved as a CSV file, for example, and used for reporting purposes. The selected device in the example above has sent a message to the S-Series informing it that it is ready to be managed in relation to being issued with a VSC. An operator with the appropriate role would then click the Execute button which will open a dialog like below. As this is the first time that a device is to be managed the management task drop down list will be empty. Click the Manage button to create a management task template and click the Add button to create a management task template. vsec:cms versasec.com 126(338)

127 In Template name enter an appropriate name for the template. From the Smart card template to issue drop down list select an already created VSC card template that will be used to issue the VSC. The card template selected here will then only be available from this management task. Select the Enable username+password logon if it is required to set the local registry key on the device to allow the end user to log onto the device using their Windows domain username and password if the device is already configured to enforce smart card logon. By enabling this setting the local registry key below will be set to a value of 0 [HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ScForceOption] Important: If a GPO is in place that configures the device to enforce smart card logon then the GPO will override the registry key. Select the Automatically return to former state and enter timeout period in the field provided. This will set the registry key above back to a value of 1 enforcing smart card logon. This may be required if the device was not issued within an appropriate period of time thereby requiring that the device be returned to its former configured state. Enable the Launch user self-service after user logon checkbox if it is required to automatically launch the USS application when the user logs into their device which will allow for a streamlined VSC creation and issuance work flow. Enable the Force logout after issuance and enforce sc logon if it is required to force the user to logout after setting the PIN code for the VSC at the end of the issuance work flow through the USS. This would only be required if it is required to enforce Windows smart card logon. In the Description window a detailed description of the management task template can be added if required. In the Permissions section it is possible to configure what operator role is allowed to perform the template. Click the Edit button to select from the available roles available on the system. Click Save to save and close the template. Now click the Perform button to send the message to the device which sets the settings as configured in the management task template on the device. vsec:cms versasec.com 127(338)

128 If the device is online a success message will be displayed. On the client device, the user should then start the USS application and issue the device. Otherwise the message will be cached and sent to the device once it comes online. Configure Poll or Push for RSDM Poll Mechanism By default client devices which have VSCs issued and managed centrally by the S-Series will poll the server in order to check if any messages are available to execute. The polling is performed through the RSDM service that is installed on each client device. This RSDM service will send a message to the server every configured millisecond (ms) to the server. The polling configuration can be seen from the Repository Managed Devices page and selecting a managed device and click the Details button. In the example dialog below the values displayed for Message transport parameter indicate what is configured for the polling. vsec:cms versasec.com 128(338)

129 In the example above the Message transport parameter is 100, 10 / / 60000, 2 ms. The meaning of each value here is described below: 100, 10 This means that the client device will send a message every 100 ms to the server asking if there are any execute messages waiting on the server for this device. When the server gets this message it will wait 10 ms to see if it receives any execute commands from an operator in that 10ms window. If an execute operation is sent, say within 5 ms, then the server will respond to the client with the execute message. If there is no execute message sent within the 10 ms then the server will respond to the client informing them that there is no execute message to be processed. / / This is the period in ms that the polling settings 100, 10 (above) will be performed for. After this period the settings 60000, 2 will be in effect , 2 This means that the client side device will send a message every ms to the server asking if there are any execute messages waiting on the server for this device. When the server gets this message it will wait 2 ms to see if it receives any execute commands from an operator in that 2ms window. If an execute operation is sent, say within 1 ms, then the server will respond to the client with the execute message. If there is no execute message sent within the 2 ms then the server will respond to the client informing them that there is no execute message to be processed. The default settings can be changed via registry key. The registry key name is rsdm.msg.notify.sett and it is a String value and needs to be set here for 64 bit OS: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Versatile Security\vSEC_CMS_T\Service And here for 32 bit OS: HKEY_LOCAL_MACHINE\SOFTWARE\Versatile Security\vSEC_CMS_T\Service Therefore if you wanted to change the default settings to, for example, 200, 10 / / 60000, 2 ms then the value that you should set in the registry key should be 200,10,600000,60000,2. vsec:cms versasec.com 129(338)

130 Push Mechanism It is possible to disable the poll mechanism as described in the previous section. This will result in client devices using a push mechanism to receive notification from the server side when execute notifications are sent from an operator. The RSDM service on the client device will then need to be configured to listen on a port for UDP broadcasts from the server. The registry key name that needs to be set is rsdm.msg.notify.broadcast.port and it is a DWORD (decimal) value that should be the port number that the client device will listen on. The key should be set here for 64 bit OS: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Versatile Security\vSEC_CMS_RSDM\Service And here for 32 bit OS: HKEY_LOCAL_MACHINE\SOFTWARE\Versatile Security\vSEC_CMS_RSDM\Service When the system is configured in this way you will see information in the Details section for a selected device. The Online status will show that the current device is configured to use push mechanism. In the Message transport parameter you will see that the polling mechanism is disabled and in the Listening on UDP port you will see the port number that the client device is configured to listen on. Device Management Logs The Device Management Logs page displays information about devices that have virtual smart cards that are managed by the S-Series. Specifically the messages sent from the device and the centralized S-Series are captured here. The device management logs table will provide the following details by default: ID: a unique identifier for the repository entry. Time: the time when the message was sent. Device: the unique device ID for the managed device. Operator: the operator who performed the operation. Computer: the host computer name where the message was sent from. Action: summary description of the message sent. Data: details about the actual message content that was sent. vsec:cms versasec.com 130(338)

131 It is possible to customize the table columns presented in this table. Please see the section below for further details. Smart Card Stock The Smart Card Stock page displays information about card stock(s) configured to be used in the S-Series. See below for more details on this. Smart Card Stock Logs The Smart Card Stock Logs is a repository of all card stock(s) configured and used in the S- Series. See below for more details on this. Pending Tasks The Pending Tasks repository will list all pending tasks that an operator can then perform as a general housekeeping task. Pending tasks will be triggered in configurations where VSCs are managed by the S-Series. There are two ways that pending tasks can be triggered: 1. An end user deletes their VSC on their client. This will trigger a notification being sent to the server side informing the server that the VSC has been deleted. As the record still exists on the server it is best practice that this record is cleaned up by an operator. Therefore, this will appear and remain as a pending task until the operator cleans this up. 2. A device is for example re-imaged resulting in the device-id for the device changing. This will trigger a notification being sent to the server side informing the server that the device-id has changed. This will allow the operator to clean up the old device registered in the CMS as this would no longer be used/managed. These pending tasks will appear in two different forms depending on which task is triggered. If type 1 above is triggered then the task will appear similar to below where the reason will state card removed on device. An operator can right click on an entry where the below options will be available. If an operator selects Revoke/Delete the VSC entry will be deleted in the repository and a delete VSC request will be sent back to the client to delete the VSC from the device. This will result in the VSC being deleted on the client. Additionally, the VSC certificate(s) will be revoked on the CA. If an operator selects Repository: Smart Cards the Repository Smart Cards page will be opened. vsec:cms versasec.com 131(338)

132 If an operator selects Repository: Smart Card Logs the Repository Transaction Logs page will be opened. If an operator selects Delete the pending task will just be deleted and no other operation will be performed. If an operator selects Details additional information will be displayed. If type 2 above is triggered then the task will appear similar to below where the reason will state Device registered as X-XXXXXXX. An operator can right click on an entry where the below options will be available. If an operator selects Revoke/Delete the device and any VSCs on the device will be deleted in the repository. Additionally, the VSC certificate(s) will be revoked on the CA. If an operator selects Repository: Smart Cards the Repository Smart Cards page will be opened. If an operator selects Repository: Smart Card Logs the Repository Transaction Logs page will be opened. If an operator selects Delete the pending task will just be deleted and no other operation will be performed. If an operator selects Details additional information will be displayed. vsec:cms versasec.com 132(338)

133 PIN Policy A PIN is a private code. It can be a sequence of numeric or alphanumeric characters or a mix of the two and is used as a type of password. The PIN must be verified before you can perform security tasks with the smart card, such as smart card logon to a workstation, or creating a digital signature. The PIN should be unique to the user s smart card and known only to the user. Important: The PIN policy that can be applied to a smart card needs to adhere to what is allowed on the smart card. Different smart cards allow different PIN policy configurations to be applied. Therefore it is required that any PIN policy that is to be applied to a smart card is supported on the smart card. The smart card vendor documentation will define what PIN policy settings are supported on the smart card. Add PIN Template From the Templates PIN Policies page it is possible to configure specific PIN policies that can be applied to the smart card during the issuance process. Several different PIN policies are supported depending on the smart card type that is being managed. Generic PIN Policy Settings For generic minidriver smart cards a generic PIN policy template can be created and set on these cards. From the Templates PIN Policies page, click the Add button. Enter a template name and from the Card type select the available type as in example dialog below. Enable the Block card after policy update if it is required to block the user smart card after setting the PIN policy to the smart card. Enable the Update tries left counter and set a value for the counter to configure the number of consecutive PIN entry attempts allowed by the smart card user. Gemalto.NET PIN Policy Settings For Gemalto ID Prime.NET smart cards a PIN policy template can be created and set on these cards. From the Templates PIN Policies page, click the Add button. Enter a template name and from the Card type select the available type as in example dialog below. vsec:cms versasec.com 133(338)

134 Note: A minimum version of of the Gemalto.NET smart card is required to support the PIN policy. The Template Name field can be changed as required to provide a descriptive name for the template policy. The Card type field indicates the card types that the template can be applied to. By enabling the Adjacent positions allowed check box a PIN which has repeated characters adjacent to one another will be allowed. Enter the number of allowed adjacent positions in the Allowed repetitions field. The value entered will set the number of times that a character can be repeated in adjacent positions. For example, if this value is set to 4 then 1111c1 and aaaa1a are allowed PIN values and 11111c and aaaaa1 are not allowed PIN values. Note: The value set here cannot exceed Max appearance value that is configured in the field described below. The Max appearance configures the PIN policy to set the allowed number of appearances of a character in a PIN but it is not possible to specify which character. For example, if the value for Max appearance is set to 2 then the PIN value 0001 would not be allowed whereas the PIN value 0011 would be allowed. The Max length of sequence is the number of times that a sequence of characters is allowed, for example 1,2,3,4,5,6...For example, if this parameter is set to 4 then 1234c5 and abcd1e are allowed PIN values and 12345c and abcde1 are not allowed PIN values. The Max repeated characters configure the PIN policy to set the number of different characters that can be repeated at least once. For example, if this value is set to 1 this means one character can be repeated but it is not possible to specify which one. Enable the Block card after policy update check box to block the smart card after the PIN policy is updated and applied to the smart card, thereby requiring smart card unblock by the user on receipt of the smart card. The Update tries left counter configures the PIN policy to set the number of incorrect PIN entry attempts a user can attempt before the smart card will be blocked. For PIN length, the Min configures the PIN policy to set the minimum length that the smart card PIN needs to be when the user is setting their PIN and the Max configures the PIN policy to set the allowed maximum length that the smart card PIN can be when the user is setting their PIN. vsec:cms versasec.com 134(338)

135 Enable the Character set restrictions check box in order to be able to configure specific character combinations to be used when setting a PIN. If this check box is not enabled then all characters will be allowed to be used when setting a PIN. If the Character set restrictions check box is enabled then it is possible to configure specific allowed characters when setting a PIN. These can be set to either Allowed or Mandatory or both. If Alphabetic uppercase is enabled then the PIN must contain an upper case character. If Alphabetic lowercase is enabled then the PIN must contain a lower case character. If None alphabetic is enabled then the PIN must contain a character that is neither numeric or alphabetic, for example, any of these characters would qualify in this case -!" $%^&*(). If None Ascii is enabled then the PIN must contain a non-ascii character. The Disable unblock check box configures the PIN policy, if enabled, such that if a user blocks their smart card it will not be possible to unblock the smart card using either administration key or PUC. The Disable change will disable PIN change on the card, i.e. the card will not allow the user to change the PIN. Enable the Unblock using admin check box in order to be able to unblock a smart PIN using the administration key as set on smart card. Enable the Unblock using PUC if it is required to set and use a PUC to unblock the smart card. The Support SSO check box configures the PIN policy, if enabled, to support the feature whereby a user needs to enter their PIN once only during a card session as long as the smart card is not removed. The New PIN must differ check box configures the PIN policy, if enabled, to ensure that the new PIN entered is not the same as the previous PIN set on the smart card. The Secure PIN input is a feature introduced in Windows 7 for the user to securely enter their smart card PIN. Gemalto IDPrime MD 3810 PIN Policy Settings For Gemalto ID Prime MD 3810 smart cards a PIN policy template can be created and set on these cards. From the Templates PIN Policies page, click the Add button. Enter a template name and from the Card type select the available type as in example dialog below. vsec:cms versasec.com 135(338)

136 The Template Name field can be changed as required to provide a descriptive name for the template policy. The Card type field indicates the card types that the template can be applied to. By enabling the Adjacent positions allowed check box a PIN which has repeated characters adjacent to one another will be allowed. Enter the number of allowed adjacent positions in the Allowed repetitions field. The value entered will set the number of times that a character can be repeated in adjacent positions. For example, if this value is set to 4 then 1111c1 and aaaa1a are allowed PIN values and 11111c and aaaaa1 are not allowed PIN values. Note: The value set here cannot exceed Max appearance value that is configured in the field described below. The Max appearance configures the PIN policy to set the allowed number of appearances of a character in a PIN but it is not possible to specify which character. For example, if the value for Max appearance is set to 2 then the PIN value 0001 would not be allowed whereas the PIN value 0011 would be allowed. The Max length of sequence is the number of times that a sequence of characters is allowed, for example 1,2,3,4,5,6...For example, if this parameter is set to 4 then 1234c5 and abcd1e are allowed PIN values and 12345c and abcde1 are not allowed PIN values. The Max repeated characters configure the PIN policy to set the number of different characters that can be repeated at least once. For example, if this value is set to 1 this means one character can be repeated but it is not possible to specify which one. Enable the Block card after policy update check box to block the smart card after the PIN policy is updated and applied to the smart card, thereby requiring smart card unblock by the user on receipt of the smart card. The Update tries left counter configures the PIN policy to set the number of incorrect PIN entry attempts a user can attempt before the smart card will be blocked. For PIN length, the Min configures the PIN policy to set the minimum length that the smart card PIN needs to be when the user is setting their PIN and the Max configures the PIN policy to set the allowed maximum length that the smart card PIN can be when the user is setting their PIN. Important: The Max PIN length supported for this card cannot be greater than 16. Enable the Character set restrictions check box in order to be able to configure specific character combinations to be used when setting a PIN. If this check box is not enabled then all characters will be allowed to be used when setting a PIN. If the Character set restrictions check box is enabled then it is possible to configure specific allowed characters when setting a PIN. These can be set to either Allowed or Mandatory or both. If Alphabetic uppercase is enabled then the PIN must contain an upper case character. If Alphabetic lowercase is enabled then the PIN must contain a lower case character. If None alphabetic is enabled then the PIN must contain a character that is neither numeric or alphabetic, for example, any of these characters would qualify in this case -!" $%^&*(). If None Ascii is enabled then the PIN must contain a non-ascii character. The Disable unblock check box configures the PIN policy, if enabled, such that if a user blocks their smart card it will not be possible to unblock the smart card using either administration key or PUC. The Disable change will disable PIN change on the card, i.e. the card will not allow the user to change the PIN. Enable the Unblock using admin check box in order to be able to unblock a smart PIN using the administration key as set on smart card. Enable the Unblock using PUC if it is required to set and use a PUC to unblock the smart card. vsec:cms versasec.com 136(338)

137 The Support SSO check box configures the PIN policy, if enabled, to support the feature whereby a user needs to enter their PIN once only during a card session as long as the smart card is not removed. The New PIN must differ check box configures the PIN policy, if enabled, to ensure that the new PIN entered is not the same as the previous PIN set on the smart card. The Secure PIN input is a feature introduced in Windows 7 for the user to securely enter their smart card PIN. The PIN Validity Period is a feature supported on this smart card whereby it is possible to configure the validity period of the PIN in days. Once the PIN validity period expires then the application using the smart card should check this value and act accordingly to force the user to change the PIN. Safenet etoken PIN Policy Settings For etoken smart cards a PIN policy template can be created and set on these cards. From the Templates PIN Policies page, click the Add button. Enter a template name and from the Card type select the available type as in example dialog below. The Template Name field can be changed as required to provide a descriptive name for the template policy. The Card type field indicates the card types that the template can be applied to. Enable the Block card after policy update check box to block the smart card after the PIN policy is updated and applied to the smart card, thereby requiring smart card unblock by the user on receipt of the smart card. The Update tries left counter configures the PIN policy to set the number of incorrect PIN entry attempts a user can attempt before the smart card will be blocked. The Min Length configures the PIN policy to set the minimum length that the smart card PIN needs to be when the user is setting their PIN. The Min usage period is the minimum period before the PIN can be changed. The default setting is 0 (none). The Max usage period is the maximum period before the PIN can be changed. The default setting is 0 (none). vsec:cms versasec.com 137(338)

138 The Expiry warning period is the number of days before the PIN expires that a warning message is shown. The default setting is 0 (none). The Must meet complexity requirements can be set to ensure that the complexity requirements are required in the PIN. The following settings can be set: Off: complexity requirements are not enforced; Manual: complexity requirements, which can be set manually. For each of the character types (Numbers, Capital characters, Lowercase characters and Special characters) select one of the following options: o Allow: Can be included in the PIN, but is not mandatory (default); o Must: Must be included in the PIN; o Forbid: Must not be included in the PIN. Auto: complexity requirements are enforced. The Repeat count is the number of times the same character can be present in a PIN. The History size defines how many previous PINs should not be repeated. Versasec Virtual Smart Card PIN Policy Settings If Versasec s Virtual Smart Card (VSC) implementation is used a PIN policy template can be created and set on these VSC. From the Templates PIN Policies page, click the Add button. Enter a template name and from the Card type select the available type as in example dialog below. The Template Name field can be changed as required to provide a descriptive name for the template policy. The Card type field indicates the card types that the template can be applied to. By enabling the Adjacent positions allowed check box a PIN which has repeated characters adjacent to one another will be allowed. Enter the number of allowed adjacent positions in the Allowed repetitions field. The value entered will set the number of times that a character can be repeated in adjacent positions. For example, if this value is set to 4 then 1111c1 and aaaa1a are allowed PIN values and 11111c and aaaaa1 are not allowed PIN values. Note: The value set here cannot exceed Max appearance value that is configured in the field described below. vsec:cms versasec.com 138(338)

139 The Max appearance configures the PIN policy to set the allowed number of appearances of a character in a PIN but it is not possible to specify which character. For example, if the value for Max appearance is set to 2 then the PIN value 0001 would not be allowed whereas the PIN value 0011 would be allowed. The Max length of sequence is the number of times that a sequence of characters is allowed, for example 1,2,3,4,5,6...For example, if this parameter is set to 4 then 1234c5 and abcd1e are allowed PIN values and 12345c and abcde1 are not allowed PIN values. The Max repeated characters configure the PIN policy to set the number of different characters that can be repeated at least once. For example, if this value is set to 1 this means one character can be repeated but it is not possible to specify which one. Enable the Block card after policy update check box to block the VSC after the PIN policy is updated and applied to the VSC, thereby requiring an unblock by the user. The Update tries left counter configures the PIN policy to set the number of incorrect PIN entry attempts a user can attempt before the VSC will be blocked. For PIN length, the Min configures the PIN policy to set the minimum length that the VSC PIN needs to be when the user is setting their PIN and the Max configures the PIN policy to set the allowed maximum length that the VSC PIN can be when the user is setting their PIN. Enable the Character set restrictions check box in order to be able to configure specific character combinations to be used when setting a PIN. If this check box is not enabled then all characters will be allowed to be used when setting a PIN. If the Character set restrictions check box is enabled then it is possible to configure specific allowed characters when setting a PIN. These can be set to either Allowed or Mandatory or both. If Alphabetic uppercase is enabled then the PIN must contain an upper case character. If Alphabetic lowercase is enabled then the PIN must contain a lower case character. If None alphabetic is enabled then the PIN must contain a character that is neither numeric or alphabetic, for example, any of these characters would qualify in this case -!" $%^&*(). If None Ascii is enabled then the PIN must contain a non-ascii character. The Disable unblock check box configures the PIN policy, if enabled, such that if a user blocks their VSC it will not be possible to unblock the VSC using either administration key or PUC. The Disable change will disable PIN change on the VSC, i.e. the VSC will not allow the user to change the PIN. Enable the Unblock using admin check box in order to be able to unblock a VSC PIN using the administration key as set on the VSC. Enable the Unblock using PUC if it is required to set and use a PUC to unblock the VSC. The Support SSO check box configures the PIN policy, if enabled, to support the feature whereby a user needs to enter their PIN once only during a card session as long as the VSC is not removed. The Secure PIN input is a feature introduced in Windows 7 for the user to securely enter their VSC PIN. Microsoft Virtual Smart Card PIN Policy Settings If Microsoft s Virtual Smart Card (VSC) implementation is used a PIN policy template can be created and set on these VSC. From the Templates PIN Policies page, click the Add button. Enter a template name and from the Card type select the available type as in example dialog below. vsec:cms versasec.com 139(338)

140 Enable the Character set restrictions check box in order to be able to configure specific character combinations to be used when setting a PIN. If this check box is not enabled then all characters will be allowed to be used when setting a PIN. If the Character set restrictions check box is enabled then it is possible to configure specific allowed characters when setting a PIN. These can be set to either Allowed or Mandatory or both. If Alphabetic uppercase is enabled then the PIN must contain an upper case character. If Alphabetic lowercase is enabled then the PIN must contain a lower case character. If None alphabetic is enabled then the PIN must contain a character that is neither numeric or alphabetic, for example, any of these characters would qualify in this case -!" $%^&*(). If None Ascii is enabled then the PIN must contain a non-ascii character. The Update tries left counter is shown here for information purposes and this shows the number of incorrect PIN entry attempts a user can attempt before the VSC will be blocked. This cannot be changed. For PIN length, the Min configures the PIN policy to set the minimum length that the VSC PIN needs to be when the user is setting their PIN and the Max configures the PIN policy to set the allowed maximum length that the VSC PIN can be when the user is setting their PIN. The Disable unblock check box configures the PIN policy, if enabled, such that if a user blocks their VSC it will not be possible to unblock the VSC using either administration key or PUC. The Disable change will disable PIN change on the VSC, i.e. the VSC will not allow the user to change the PIN. Enable the Unblock using admin check box in order to be able to unblock a VSC PIN using the administration key as set on the VSC. The Support SSO check box configures the PIN policy, if enabled, to support the feature whereby a user needs to enter their PIN once only during a card session as long as the VSC is not removed. The Secure PIN input is a feature introduced in Windows 7 for the user to securely enter their VSC PIN. Charismathics Virtual Smart Card PIN Policy Settings If Charismathics Virtual Smart Card (VSC) implementation is used a PIN policy template can be created and set on these VSC. From the Templates PIN Policies page, click the Add button. vsec:cms versasec.com 140(338)

141 Enter a template name and from the Card type select the available type as in example dialog below. For the PIN Min length enter the minimum PIN length that should be allowed. For PIN Max length enter the maximum PIN length that can be allowed to be set. Enter the number of times that the PIN tries left counter can be set for the VSC before it will be blocked. For the PIN Type drop down list two options are available: alphanumeric or number. Select whichever is appropriate for your configuration. vsec:cms versasec.com 141(338)

142 BIO Policy Biometrics (BIO) is the means by identifying an individual from their unique fingerprint. The BIO must be verified before you can perform security tasks with the smart card, such as smart card logon to a workstation, or creating a digital signature. Add BIO Template From the Templates BIO Policies page, click the Add button. Enter a template name and from the Card type select the available types. Currently, the Gemalto.NET smart card with bio applet is supported. The User Verification Method (UVM) configures the method that the user can authenticate to the smart card to perform security tasks such as Window smart card logon, for example. The available methods are: PIN only: select this method if it is required that the user should only be allowed to authenticate to the card by providing the card PIN. Fingerprint only: select this method if it is required that the user should only be allowed to authenticate to the card by providing their fingerprint. Fingerprint or PIN: select this method if it is required that the user should authenticate to the card by providing their PIN or their fingerprint. Fingerprint and PIN: select this method if it is required that the user should authenticate to the card by providing their PIN and their fingerprint. From the Access conditions to FMA it is possible to specify what role needs to be authorized to the card before changes to the BIO applet settings can be made. The available methods are: Administrator: challenge response is required to change the biometric settings and the UVM if this option is selected. User PIN: the user can change the biometric settings and UVM without administrator support. If this option is selected it is possible to configure the UVM method the user can use. Click the button which presents a dialog with the available methods. Enter the allowed number of times that a fingerprint can be presented before the card is blocked into the Number of false fingerprint verifications before block field. vsec:cms versasec.com 142(338)

143 Enter the required minimum number of fingerprints that can be enrolled onto the card into the Min. required number of fingerprints field. Enter the maximum number of fingerprint templates allowed to be enrolled onto the card into the Max. number of fingerprint templates field. Enter the desired false acceptance rate into the False acceptance rate (FAR) field. FAR is used in biometric access control systems. The FAR is a measure of the likelihood that the access system will wrongly accept an access attempt; that is, will allow the access attempt from an unauthorized user. Please consult the smart card vendor documentation on the recommended level for this value. Enable the checkbox Unblock PIN also unblocks fingerprints if it is required to unblock the fingerprint when performing a PIN unblock. From the Allowed Fingers window it is possible to select/deselect which finger the user can use when enrolling their fingerprint. vsec:cms versasec.com 143(338)

144 Repository It is possible to configure the S-Series to perform scheduled export of smart card data from the system. From the Options Repository page click the Edit button and follow the steps below to configure this feature. From Options Repository click the Edit button. From the Export When drop down list select: Disabled if this feature is to be switched off; On each change if data export is to be performed whenever a smart card operation is performed; Scheduled if data export is to be performed at a scheduled predefined day and time. If Schedule is selected then it will be possible to configure the frequency, day, hour and minute that the scheduled export should take place. From the Export Which Records drop down list select either: Only modified records. This will result in only exporting smart card data associated with the particular operation performed; All records. This will export all smart card data being exported. From the Export to select a data export connection from the drop down list and click the Add button. It is recommended to create a dedicated data export connection specifically for this. vsec:cms versasec.com 144(338)

145 Customize Repository Tables It is possible to customize the columns of the tables presented in the repository views of the S- Series. Customize Transaction Table From the Repository Transaction Log page it is possible to configure the columns for the table presented. Right click the table column names and select Configure. In the Available window are the column s that can be added to the table. Select an entry and a short description will appear below the Available window. The already used columns appear in the Selected window. Select an entry and it is possible to change the name of the column title in the Label field and the position that the column will appear in the table using the Up and Down buttons. Customize Smart Cards Table From the Repository Smart Cards page it is possible to configure the columns for the table presented. Right click the table column names and select Configure. In the Available window are the column s that can be added to the table. Select an entry and a short description will appear below the Available window. The already used columns appear in the Selected window. Select an entry and it is possible to change the name of the column title in the Label field and the position that the column will appear in the table using the Up and Down buttons. Customize Archived Keys Table From the Repository Archived Keys page it is possible to configure the columns for the table presented. Right click the table column names and select Configure. In the Available window are the column s that can be added to the table. Select an entry and a short description will appear below the Available window. The already used columns appear in vsec:cms versasec.com 145(338)

146 the Selected window. Select an entry and it is possible to change the name of the column title in the Label field and the position that the column will appear in the table using the Up and Down buttons. Customize Master Keys Table From the Repository Master Keys page it is possible to configure the columns for the table presented. Right click the table column names and select Configure. In the Available window are the column s that can be added to the table. Select an entry and a short description will appear below the Available window. The already used columns appear in the Selected window. Select an entry and it is possible to change the name of the column title in the Label field and the position that the column will appear in the table using the Up and Down buttons. Customize Batch Processes Table From the Repository Master Keys page it is possible to configure the columns for the table presented. Right click the table column names and select Configure. In the Available window are the column s that can be added to the table. Select an entry and a short description will appear below the Available window. The already used columns appear in the Selected window. Select an entry and it is possible to change the name of the column title in the Label field and the position that the column will appear in the table using the Up and Down buttons. Customize System Logs Table From the Repository System Logs page it is possible to configure the columns for the table presented. Right click the table column names and select Configure. In the Available window are the column s that can be added to the table. Select an entry and a short description will appear below the Available window. The already used columns appear in the Selected window. Select an entry and it is possible to change the name of the column title in vsec:cms versasec.com 146(338)

147 the Label field and the position that the column will appear in the table using the Up and Down buttons. Customize Device Management Logs Table From the Repository Device Management Logs page it is possible to configure the columns for the table presented. Right click the table column names and select Configure. In the Available window are the column s that can be added to the table. Select an entry and a short description will appear below the Available window. The already used columns appear in the Selected window. Select an entry and it is possible to change the name of the column title in the Label field and the position that the column will appear in the table using the Up and Down buttons. vsec:cms versasec.com 147(338)

148 SQL Database Support This section is broken into two sections as it is possible to use an SQL database to store internal S-Series information or to export configurable S-Series data to it. SQL Support for Internal S-Series Database In order to configure the S-Series to connect to and use an external database to store information for the application follow the instructions in this section. Note: Currently the S-Series will only support the MS SQL database. If it is required to support other SQL database vendors please contact Versasec. Note: As recommended by MS, the MS SQL database should be encrypted. Please consult your MS SQL database documentation for further information on this. Prerequisites A fully functional MS SQL server with a database needs to be available to the S-Series. The S- Series will not create the database. Important: The S-Series by default uses the SYSTEM account to connect to the MS SQL database. If it is required to use a specific Windows account to connect to MS SQL database then it is necessary to add this account to the service account for the S-Series. It is recommended to log onto the S-Series server with this dedicated account. The S-Series service name is vsec:cms Service. Therefore you will need to add this from the Log on tab in the Windows service dialog. It will also be required that this Windows account has access to the dat folder of the S-Series. The dat folder is located here C:\Program Files (x86)\versasec\vsec_cms S-Series\dat if the S-Series is installed into the default installation location. The dat folder contains the local database for the S-Series which contains specific configuration information that will always be required after the migration to MS SQL. When setting up the connection to the MS SQL database for the first time the logged on Windows user account will need to have the correct permissions to access the MS SQL database if you are authenticating to the SQL database using Windows authentication. This will only be required when setting up the connection for the first time. Once the migration has completed then the S-Series will use the service account credential to access the database. Setup From the Options Connections page click the Configure button for SQL Database and click the Add button. vsec:cms versasec.com 148(338)

149 Enter a name for the connection template and select the MS SQL from the drop down list. Select the database provider and enter the server details. If it is required to authenticate to the MS SQL server using an MS SQL specific account (which is commonly referred to as a database user) to authenticate, then enable the Use SQL server authentication mode check box and enter the username and password that will be used. If SQL server authentication mode is not used the logged on Windows user account is used to authenticate to the MS SQL database. Click the Get Databases button to select the database to connect to. Enable the Use for CMS data checkbox. Click the Read Only button and enter a database user account created on the MS SQL table that has read-only permissions on the database. This should be an SQL user account. This is required for the reporting feature in S-Series to ensure that any SQL queries written as part of any report template created only allow for queries that can read from the database and not write and/or modify the database entries. Click the Test button to ensure that the application can connect to the database. A success dialog will be presented if the application can connect to the database. On clicking the Save button the operator will be asked whether they wish to migrate to SQL now. Click Yes to setup and use the SQL database. The S-Series will perform a migration of data from the internal S-Series database to the MS SQL database. Depending on the number of smart cards that are already managed by the S-Series this migration may take some time. When the migration is complete, a short summary will be displayed. If the No button was selected, the S-Series will save the template details but will remain using the internal S-Series database. Limitations The current implementation of the SQL database support has some limitations which are important to note. The limitations are only applicable when the Use for CMS data checkbox is enabled as described in the previous configuration setup. These are: If, on startup of the S-Series, the SQL database is unreachable the application will not start; It will only be possible to add one SQL connection of this type on any one installation of the S-Series; vsec:cms versasec.com 149(338)

150 Once the SQL connection is setup and in use it will not be possible to roll-back to the internal database. SQL Support for Export of S-Series Data In order to configure the S-Series to connect to an SQL database in order to export configurable data from the S-Series follow the instructions in this section. Note: Currently the S-Series will only support the MS SQL database. If it is required to support other SQL database vendors please contact Versasec. Note: As recommended by MS, the MS SQL database should be encrypted. Please consult your MS SQL database documentation for further information on this. Prerequisites A fully functional MS SQL server with a database needs to be available to the S-Series. The S- Series will not create the database. Setup From the Options Connections page click the Configure button for SQL Database and click the Add button. Enter a name for the connection template and select the MS SQL from the drop down list. Select the database provider and enter the server details. If it is required to authenticate to the SQL server using SQL authentication enable the Use SQL server authentication mode check box and enter the username and password that will be used. If SQL server authentication mode is not used the logged on Windows user account is used to authenticate to the SQL database. Click the Get Databases button to select the database to connect to. Click the Test button to ensure that the application can connect to the database. A success dialog will be presented if the application can connect to the database. Click the Save button to complete. vsec:cms versasec.com 150(338)

151 Configure Photo Capture In order to configure photo capture and then use this feature during smart card issuance, follow the instructions in this section. Important: Version 4.0 of.net Framework needs to be installed on the server where S- Series is installed. Note: For the S-Series it is required to have the photo capturing device available from the server where the S-Series is installed. Many applications are available that allow the sharing of a locally connected USB photo capturing device to Windows servers. The device drivers will need to be installed (and supported) on the server. Note: For photo capture, web cams, scanner and photo cameras can be used. For scanners and photo cameras the WIA driver should be enabled on the system. For web cams MS DirectShow is required which is included in.net Framework 4.0. Browse to Options Connections and click the Configure button for Photo Capture. To add a device click the Add device button and select the device to connect. Enter a name for the device when prompted and click Add. The device will now be available under devices from the main dialog. To configure the photo preview window right click the device added in the previous step and select Properties. Select from the available resolutions and click OK. This preview window will be the size of the window that the photo will be displayed in. To configure the actual rectangle area that the photo captured will be saved in from within the preview window click the Settings button. For example, the preview window is set to 320 x 240 and if it is required that the captured photo should be same size of the preview window then set the value as 320 px for width and 240 px for height. vsec:cms versasec.com 151(338)

152 Configure the format that the image will be saved as from the available types. Click the Fetch button to take a sample photo and click capture. Click Save button to save the image for review. From Templates Card Templates either add a new template or edit an existing template. Click the Edit link beside Issue Card and enable Capture photo. Click the Configure button and select either Capture always if it is always required to capture a photo during card issuance or select the Capture only if no photo is available if it is required to capture a photo if no photo is available. Select the variable ${PictureCms} that the photo will be associated with from the drop down list. This variable is associated the user s DN, configured from the Options Variables page. Enable the Save photo checkbox if the captured photo is to be saved to the local file system. For the S-Series the photo will be saved to C:\Program Files (x86)\versasec\vsec_cms S- Series\cms_db\data if the S-Series was installed to default location. During the card issuance after selecting the user that is to be issued with a smart card the photo capture dialog will appear. Select the device and click the Fetch button. The preview window will appear and now the photo of the user can be taken. Click the Capture button. If the quality is not as required click the Fetch button again to take another photo. Once satisfied that the photo quality is correct click the Save and Exit button on the bottom right of the dialog to continue the issuance process. vsec:cms versasec.com 152(338)

153 Use Smart Card Printer In order to setup and connect to a smart card printer follow the steps in this section. Note: Currently the S-Series supports the Fargo HDP5000, Datacard SR300 and Evolis Primacy printers. Initial Setup This section will describe the initial preparation task that need to be carried out depending on the printer used. Evolis Primacy For the initial setup copy the file iomem.dll from the printers folder to the same location that the S- Series application executable resides in. If the default installation was selected and the operating system is 64-bit, a folder called printers will be present at the location C:\Program Files (x86)\versasec\vsec_cms S-Series. From the printers folder copy the file iomem.dll to C:\Program Files (x86)\versasec\vsec_cms S-Series where the vsec_cms_t.exe resides. Restart the application to complete. Fargo HDP5000 For the initial setup copy the file FargoPrinterSDK14.dll from the printers folder to the same location that the S-Series application executable resides in. If the default installation was selected and the operating system is 64-bit, a folder called printers will be present at the location C:\Program Files (x86)\versasec\vsec_cms S-Series. From the printers folder copy the file FargoPrinterSDK14.dll to C:\Program Files (x86)\versasec\vsec_cms S-Series where the vsec_cms_t.exe resides. Restart the application to complete. If it is required to print to both sides of the smart card during the smart card issuance process when using the Fargo HDP5000 it is necessary to ensure that the proper configuration is set on the printer. Two configuration steps are required here: From Devices and Printers in Control Panel right click the printer and select Printing preferences. In the Device Options tab make sure that the check box Print Both Sides is checked; From Devices and Printer in Control Panel right click the printer and select Printer properties. Select the Advanced tab and click the Printing Defaults button. Again make sure that the check box Print Both Sides is checked. Setup This section describes how to setup a smart card printer so that it can be used with the S-Series. The technical details for the setup and how the different components are working together are described below. Note: The setup described here is for scenarios where the smart card reader(s) in the smart card printer are made available to the client computer that the S-Series operator is using to connect to using the USB cable connected between the printer and the client computer. Important: The smart card printer can be setup on a network where the smart card reader is configured as a network smart card reader. In this type of configuration the communication is unencrypted. Therefore if deciding on using such a setup please be aware that the personal data sent to the smart card that are to be issued will be sent over the network unencrypted. Versasec does not recommend such a configuration but if your network is considered secure then you may wish to setup the printer in such a configuration. Therefore this administration guide will only describe how the S-Series can be setup to use the smart card printer when the smart card reader(s) are connected to the operator s workstation using the USB cable. vsec:cms versasec.com 153(338)

154 There are 3 components involved: The server where S-Series is installed; The client computer where the operator is logged on at; The smart card printer connected to the network AND which is using USB connection from the printer to the client computer. The components will work together as follows: The operator (client) connects to the S-Series server; The smart card readers from the printer will be made available through the USB cable as PC/SC readers to the client computer; PC/SC readers will be forwarded through to the server; S-Series connects using TCP/IP to the printer for printing and printer commands such as move card between different stations within the printer. Example Installation This section will describe an example setup for the Fargo HDP5000 smart card printer. Note: For details on setting up and using a Datacard SR300 printer please refer to the use case PDF that accompanies the S-Series download package. On the S-Series server install the HDP card printer installer. Click Next. Click Next. vsec:cms versasec.com 154(338)

155 Ensure to select network connection and enter the IP address of the printer and click Next. Click Next to complete the setup. You should reboot the server when complete. Once the printer setup is complete follow the steps below to configure the smart card printer to be used in the S-Series. Setup a connection to the smart card printer from the Options Connections page and click the Configure button in the Smart Card Printer section. With the smart card printer connected to the server that the S-Series is running on, select the available smart card printer from the drop down field. Click the Details button to retrieve additional vsec:cms versasec.com 155(338)

156 information about the smart card printer. Enable the Print front side only check box if is required to only print on the front of the smart card. Please refer to the section above which highlights important settings that need to be set when using the HID Fargo HDP5000 printer in order to be able to print on both sides of the smart card. From the Transform back side image drop down list select from the following options: None Rotate Flip Horizontal Flip Vertical From the Eject failed cards drop down list select from the following options: Front side Back side Click the Test print button to test an actual smart card can be printed. From the Smart Card Reader section, click the Detect button to allow the application to detect the printer card reader. See the Detect Smart Card Reader in Printer section below for further details on detecting the smart card reader for the printer. When complete click OK button to save the configuration. In order to configure a smart card template to perform printing during the issuance process, from the Templates Card Templates page select or create a card template. In this case I will select an already existing card template and click Edit. From the Smart Card Template dialog click the edit link in the Issue section and scroll to the Printing Options section. Enable the Print smart card check box and select the smart card printing layout that is to be applied during the printing operation. Enable the Preview before printing check box if it is required to preview the print content before physically printing the card during the issuance process. If it is required to add and/or edit existing smart card printing layouts click the Manage button from the previous dialog. You can add, delete and edit layout templates. Select the example template and click Edit. Click the Export button to export the current layout file that is stored in the S-Series database. This file will be saved as a text file along with the BMP files used for the front and back design. Click the Import button to import a layout file that you wish to use. From the Printer drop down list select the printer you wish to use. It is possible to see a preview of what the printed smart card layout will look like by selecting a user from the user directory by clicking the Get user ID button and clicking the Test button. The layout can be saved as a BMP file by clicking the Save as button. Detect Smart Card Reader in Printer If the smart card printer is configured as a network printer, i.e. there is no USB connection between the printer and the host that is used to connect to the S-Series, it will be necessary to manually enter the name of the smart card reader into the Smart Card Reader field. This will be configured from the Options Connections page and click the Configure button for Smart Card Printer By default this field is not editable. Therefore in order to manually type the name of the smart card reader into this field it will be necessary to open this dialog with the Ctrl + Shift keys pressed. From the Options Connections page, hold down the Ctrl + Shift keys and click the Configure button for Smart Card Printer. It will now be possible to enter the smart card reader name into the Smart Card Reader field. A tip in order to obtain the smart card reader name is to run the command certutil scinfo from a command Window. This command will list all smart card readers available on the server. For example if the smart card reader built into the printer is a Broadcom reader then enter the reader name Broadcom Corp Contacted SmartCard 0 into the Smart Card Reader field. vsec:cms versasec.com 156(338)

157 Smart Card Layout The smart card layout for printing images and data onto the smart card are configured through a file known as a layout file in the S-Series. Determining Data for Smart Card Layout File When configuring smart card printing in S-Series, it is important to be able to position and size the texts and images that are printed on the card. This section describes on a basic level how to do this. This section lists a number of basic tasks, and then describes how to accomplish this using Adobe Photoshop (one of the most popular image editing application) and GIMP (a free and very capable application). As a final step this section will describe how the positions for image and text can then be used and configured in the S-Series using a layout file. Getting Details from the Printer It is important to consult the smart card printer documentation to create the best possible design for the printer and smart card that is going to be used. However some of the most important details are available directly from the S-Series application. The size of the smart card background is available from Options Connections Smart Card Printer Details. In the example below width is 648 and height vsec:cms versasec.com 157(338)

158 Background Image Details Typically smart card design is done using a background image, on which the other image elements are placed on. The background image is typically designed by a graphical designer and it shall be made according to the specifications as provided by the smart card printer selected. If no background image is going to be used, make a default image that follows specification of the selected smart card printer. Below is shown an example background image and how this image would look if printed onto a smart card. Get Details from an Existing Background Image Using Photoshop: With the image file open, go to Image/Image Size The width and the height can be found in the dialog that then opens. vsec:cms versasec.com 158(338)

159 Using GIMP: With the image file open, go to Image/Image Properties. The width and the height can be found in the dialog that then opens. Conclusion: The background image in this example has the following position and size: Left=0, Top=0, Width 648, Height 1016 Create a New Background Image Using Photoshop: Go to File/New and fill the dialog that pops up, with the correct details for your smart card printer. Using GIMP: Go to File/New and fill the dialog that pops up, with the correct details for your smart card printer. vsec:cms versasec.com 159(338)

160 Conclusion: The background image in this example has the following position and size: Left=0, Top=0, Width 1013, Height 639 Place an Image On Top of the Background Note: Currently transparency is not supported in S-Series. Using Photoshop: Place your image at the position you prefer on the background and select it (the layer), hit CTRL+T (free transform), then all the position and size details are shown in the Info palette. Using GIMP: Place your image at the position you prefer on the background and select it (the layer). Zoom in (hit +) on the upper left corner of the layer to get its position (on the lower left border). By going to Layer/Layer Boundary Size, the size of the image can easily be found. vsec:cms versasec.com 160(338)

161 Conclusion: The image in this example has the following position and size: Left=516, Top=642, Width 75, Height 294 Place a Text On Top of the Background To calculate the position for placing text onto the smart card you can use text label to calculate this. For example, with GIMP, draw the text area where you want text written and place the mouse into top left corner of label to find the left and top positions, 62 and 50 in this case. vsec:cms versasec.com 161(338)

162 In order to calculate the width and height you can use the set layer boundary. In this example the width has a value of 158 and the height of 436. Parameter Values Overview This section will describe the X,Y co-ordinates for the smart card layout as used by the S-Series. vsec:cms versasec.com 162(338)

163 Position and Size Front and Back vsec:cms versasec.com 163(338)

164 Rotation Smart Card Layout File The smart card layout file is divided into 2 main sections Front and Back. Front In this section the layout for the design that will be printed on the front of the smart card is defined. From here there can be any number of parameters defined, from Field1 Fieldn. For example, if it is required to configure a background design, text fields, a user picture and a rectangle area to be printed on the front of the smart card the Front section parameters (4 in total) could be defined as below: Field1=Front_FixedBackground Field2=Front_Textfeld1 Field3=Front_UserPicture Field4=Front_Rect1 The elements then for each parameter would be defined in these sections, for example, sections called: [Front_FixedBackground], [Front_Textfeld1], [Front_UserPicture] and [Front_Rect1]. Back In this section the layout for the design that will be printed on the back of the smart card is defined. From here there can be any number of parameters defined, from Field1 Fieldn. For example, if it is required to configure a background design and a text field to be printed on the back of the smart card the Back section parameters (2 in total) could be defined as below: Field1=Back_FixedBackground Field2=Back_Textfeld1 vsec:cms versasec.com 164(338)

165 The elements then for each parameter would be defined in these sections, for example, sections called: [Back_FixedBackground] and [Back_Textfeld1]. Layout Elements Key Sample Value Description Type FixedImage The type of the element (see table below). This triggers different rendering methods. Left 10 Left position of this element. Top 30 Top position of this element. Width 100 Width of this element. Height 30 Height of this element. Orientation 0.0 Orientation in degrees (to rotate the element). BackgroundColor 128,128,128 RGB of background color for the element. Transparent 1 0=Element is not transparent. 1=Element will have transparent background. Mandatory 0 1=Field is mandatory. If no data is available for this field, the rendering will fail. 0=Field is not mandatory. If no data is available, this field will be kept empty. Value Value depends on the Type. ValueFile C:\front.bmp Reference to a file, where the value is taken from (e.g. for RTF or images) The supported types are defined in the table below: Type fixedimage rtftext image fixedgdiobject barcode Description This element describes a fixed image, which is part of the layout, for example a company logo. The ValueFile field will contain a reference to the image file. This element contains RTF text which is used to handle the text formatting. This RTF text can contain variables configured from the Options Variables page of the S-Series. This element describes a variable image, which will be read at runtime when rendering the layout. The Value field will contain a S-Series variable configured from the Options Variables page. This element is used to draw rectangles. The Value field will have to be set to Rectangle. This element is used for printing bar code to the smart card. Example Follow the steps in this section to configure the S-Series in order to print a layout onto a smart card. Below is an example of the printed smart cards, front and back, as would be the result of applying this example configuration. Front View and Back View vsec:cms versasec.com 165(338)

166 Step 1: Configure Front Background Image Using the image below, background_image.png, enter the following settings into the layout file. [Front_IMAGE_BACKGROUND] Type=FixedImage ValueFile=background_image.png Left=0 Top=0 Width=648 Height=1016 Orientation=0.0 Step 2: Configure Front ID Photo Using the image below, employee_picture.png, enter the following settings into the layout file. The parameter ValueFile would typically be linked to a variable in the S-Series so to retrieve the picture of the user who the smart card is being issued to and printed. For example, a variable name of picture could already be defined in the S-Series therefore the value would be ValueFile=${picture}. [Front_IMAGE_EMPLOYEE_PICTURE] Type=FixedImage ValueFile=employee_picture.png Left=46 Top=58 Width=342 vsec:cms versasec.com 166(338)

167 Height=331 Orientation=0.0 Step 3: Configure Front Employee Name and Job Title Enter the following settings below into the layout file. In this case we use a RTF file to store the name of the employee and the job position title. [Front_TEXT_EMPLOYEE_NAME_AND_TITLE] Type=RtfText ValueFile=employee_name_and_title.rtf Left=450 Top=0 Width=390 Height=100 Orientation=270.0 BackgroundColor=0,0,0 Transparent=1 The contents of the RTF in this example would be as below. Typically the contents of the RTF would refer to variables defined in the S-Series that would be used to retrieve the employee name and employee job title from a user directory when issuing and printing a smart card for a user. The contents of RTF then would be as in the example below, where employeename and employeetitle are defined variables in the S-Series. vsec:cms versasec.com 167(338)

168 Step 4: Configure Back of card Using the image below, back_of_card.png, enter the following settings into the layout file: [BACK_IMAGE_COMPANY_URL] Type=FixedImage ValueFile=back_of_card.png Left=0 Top=0 Width=648 Height=1016 Orientation=0.0 Step 5: Completing the Layout File It will be necessary to place all of the settings already defined into a layout file. Below is the completed layout file that would then be imported into the S-Series. ; Add comments to layout file using ; character ;Front of card is side with smart card chip facing out ;Back of card is blank white side showing [Front] Field1=Front_IMAGE_BACKGROUND Field2=Front_IMAGE_EMPLOYEE_PICTURE Field3=Front_TEXT_EMPLOYEE_NAME_AND_TITLE [Back] Field1=BACK_IMAGE_COMPANY_URL ;; ;; Design the front of card layout vsec:cms versasec.com 168(338)

169 ;; [Front_IMAGE_BACKGROUND] Type=FixedImage ValueFile=background_image.png Left=0 Top=0 Width=648 Height=1016 Orientation=0.0 [Front_IMAGE_EMPLOYEE_PICTURE] Type=FixedImage ValueFile=employee_picture.png Left=46 Top=58 Width=342 Height=331 Orientation=0.0 [Front_TEXT_EMPLOYEE_NAME_AND_TITLE] Type=RtfText ValueFile=employee_name_and_title.rtf Left=450 Top=0 Width=390 Height=100 Orientation=270.0 BackgroundColor=0,0,0 Transparent=1 ;;; ;;; Design the back of card layout ;;; [BACK_IMAGE_COMPANY_URL] Type=FixedImage ValueFile=back_of_card.png Left=0 Top=0 Width=648 Height=1016 Orientation=0.0 Bar Code Printing It is possible to configure the S-Series to print bar codes on a smart card during the issuance process. In order to be able to perform bar code printing a section needs to be added to the smart card layout file. The section needs to be of type barcode. For further details on how to configure the S-Series to enable bar code printing please contact Versasec. vsec:cms versasec.com 169(338)

170 Operator Service Key Store If it is required to configure the S-Series to Support USS OR; Use an authentication only operator card OR; An HSM for all master key operations then it is necessary to add what is referred to as an operator service key store (OSKS). The OSKS will then be used by the S-Series to perform administration key operations. Administration key operations require access of a master key used by the S-Series. The OSKS can be in three forms: An encrypted key store; A HSM; A physical hardware smart card token. Setup for Encrypted Key Store Follow the instructions in this section on how to configure the S-Series to use an encrypted key store for OSKS. Important: The OSKS in this case is an encrypted component that runs as a service which is accessible only by the S-Series. 1. Attach the System Owner operator smart card to the host where the S-Series was installed on; 2. Go to Start All Programs Versasec vsec:cms S-Series tools and start the application Operator Card Tool (OCT). Important: The operator needs to use the System Owner operator card in order to carry out this process. 3. Click the button Copy System Identification Information as indicated below. 4. The OCT will save the identification information into the host system clipboard. Copy this information and send it to your provider; 5. The information will look similar to below: <authkeys> <tokencsn> cb3163a05ffff</tokencsn> <tokenid>100000</tokenid> <key><cont>vsec-sys-key</cont><spec>1</spec><pub> a4000.</pub></key> </authkeys><key><cont>9c8927ae-ae77-4bc3-bbf a26c60</cont><spec>2</spec><pub> </pub></key> vsec:cms versasec.com 170(338)

171 </authkeys> 6. Versasec will then create an installation package and provide this back to your provider. 7. When the installation package is received run the installer on the server to install the required files for the encrypted key store. 8. Start the S-Series application and from the Options Security page enable Allow external smart card administration key loading and Enable operator service key store check boxes. 9. From the Options Operators page click the Add service key store button. You should see that the Key store field is automatically populated. Enter a name for the store name and click the Add button to create the encrypted key store. 10. When complete you will see that the service key store is added and that it is active. This completes the setup. The S-Series will use the master key stored in the encrypted key store for any operations requiring administration key operations when using the USS or operator only authentication tokens. Setup for HSM Follow the instructions in this section on how to configure the S-Series to use an HSM for OSKS. During this process the master key stored on the operator smart card token will be migrated to the HSM. 1. Attach the System Owner operator smart card to the host where the S-Series was installed on; 2. Go to Start All Programs Versasec vsec:cms S-Series tools and start the application Operator Card Tool (OCT). Important: The operator needs to use the System Owner operator card in order to carry out this process. 3. Click the button Copy System Identification Information as indicated below. vsec:cms versasec.com 171(338)

172 4. The OCT will save the identification information into the host system clipboard. Copy this information and send it to your provider; 5. The information will look similar to below: <authkeys> <tokencsn> cb3163a05ffff</tokencsn> <tokenid>100000</tokenid> <key><cont>vsec-sys-key</cont><spec>1</spec><pub> a4000.</pub></key> </authkeys><key><cont>9c8927ae-ae77-4bc3-bbf a26c60</cont><spec>2</spec><pub> </pub></key> </authkeys> 6. Versasec will then create an installation package and provide this back to your provider. 7. When the installation package is received run the installer on the server to install the required files for the encrypted key store. 8. Start the S-Series application and from the Options Security page enable Allow external smart card administration key loading and Enable operator service key store check boxes. Important: It will be necessary to have setup a connection to the HSM from Options Connections before being able to complete the setup here. See the section below for details on this. 9. From the Options Operators page click the Add service key store button. You should see that the Key store field is automatically populated. Enter a name for the store name and click the Add button to create the encrypted key store. 10. When complete you will see that the service key store is added and that it is active. This completes the setup. The S-Series will use the master key stored in the HSM for any operations requiring administration key operations when using the USS or operator only authentication tokens. vsec:cms versasec.com 172(338)

173 Setup for Physical Hardware Smart Card Token If the OSKS is using a physical hardware smart card token then it will need to be always available to the service of the S-Series on the server that it is running on. It is recommended that the physical smart card used is physically attached to the server, thereby reducing the risk that this card becomes unavailable to the S-Series. Follow the instructions in this section on how to configure the S-Series to use a physical smart card token as for OSKS. It will be necessary to receive an operator token from your supplier. The restore operator token can be used as an operator service card and should be registered with the S-Series. From the Options Operators page click the Add service key store button and select the reader that the card is attached to. Enter an appropriate name for the store name and click the Add button. The S-Series will then add this card as an OSKS. If it is required to deactivate the operator service card select the card from the Options Operators page and click the Inactive button. If the card is inactivated it will not be possible to perform USS flows or use an authentication only operator card in the S- Series. Note: If the S-Series service is restarted or the operator service card is removed from the reader it will be necessary to activate the card again for it to become activated in the system again. Note: It will be necessary to enable the Allow external smart card administrator key loading checkbox from the Options Security page. vsec:cms versasec.com 173(338)

174 Multiple Roles This section explains how to configure the S-Series to support multiple roles on a user smart card and how to issue certificates for those roles. Multiple roles are where a user/employee within an organization has more than one Windows account (or role). In a multiple forest environment a user may have several different Windows accounts across multiple active directories (AD). Therefore when issuing a smart card for such a user it is required to be able to issue multiple certificates for the user associated with each different Windows account. For example, a Windows user has 2 administration accounts: adminrole1 and adminrole2. It is required that this user is issued with 2 certificates which will be used to then authenticate the user when required to authenticate as either adminrole1 or adminrole2. Before describing how to configure multiple role support it is important to understand how this works in the S-Series. Step 1: When a smart card is issued to a user in the S-Series, the smart card will be assigned a user identifier (ID), which will be selected from a directory such as AD. This ID will be in the form of a DN and will be referred to as primary user in this section. Step 2: The S-Series will take the DN from step 1 and depending on the rules configured for a role to derive a user DN it will retrieve the DN for the configured role. There are three mechanisms in place to derive the DN for a given role template configured. These are: Step 2 a): If DN mechanism is used to derive the DN then the S-Series will take the DN returned in step 1 and apply the rules set in the role template and derive the DN for the user. Step 2 b): If Windows account name mechanism is used then the S-Series will take the DN returned in step 1 and retrieve the Windows account name for this DN. The S-Series will then apply the rules set in the role template and derive the Windows account name for the user. Then the S-Series will take this value and retrieve from the AD configured in the role template the DN for this Windows user account. Step 2 c): If Windows UPN is used then the S-Series will take the DN returned in step 1 and retrieve the Windows UPN for this DN. The S-Series will then apply the rules set in the role template and derive the Windows UPN for the user. Then the S-Series will take this value and retrieve from the AD configured in the role template the DN for this Windows UPN. Step 3: The certificate requests can now be processed. Depending on the CA that is used and what is configured in the certificate template, either the DN or the Windows account name will be sent to the CA to request the CA to issue the certificates for the user. Smart Card Template to Support Multiple Roles This section will describe how to configure a smart card template with support for multiple role(s). 1. From Templates Card Templates click the Add button to create a new template. Click the Edit link beside General. 2. Add a template name and enable the Supports multiple role(s) checkbox. Click Ok to close. 3. Click the Edit link beside Issue Card. 4. Enable the Assign user ID check box under User ID Options and select the directory that the user will be selected from in the drop down list. This is the user directory that the primary user will be selected from during the issuance process and all role IDs will be derived from this user. 5. Click the Role(s) button and click the Manage button to configure the specific settings for the roles. 6. Click the Add button. Enter a name for the role template and from the drop down list 6 options are available. The selected option will depend on how you wish to configure the rules for deriving the user ID from the selected primary user as selected during smart card issuance. a) If Generate (Apply prefix/suffix to distinguished name (DN)) is selected then it will be possible to configure what prefix or suffix that can be added to a specific DN field, for example the CN field. Additionally it is possible to perform a search and replace operation vsec:cms versasec.com 174(338)

175 on the DN in order to derive the user ID from the selected primary user during the smart card issuance. If both options are configured then the prefix or suffix operation will be performed first followed by search and replace operation. It is possible to test the configuration by clicking the Generate ID button and selecting the primary user that would be selected during the smart card issuance. For example, if the primary user that would be selected has a DN of: CN=Admin Role,OU=role1,DC=versasec,DC=com then from the configured settings in this example the user DN that would be retrieved would be: CN=Admin Role2,OU=role2,DC=versasec,DC=com Click the Test button and a success dialog will be shown indicating that the settings are correctly configured. Click the Save button to save the template. b) If Generate (Apply prefix/suffix to account name) is selected then it will be possible to configure what prefix or suffix that can be added to a specific Windows account name. Additionally it is possible to perform a search and replace operations on the Windows account name in order to derive the user ID from the selected primary user during the smart card issuance. If both options are configured then the prefix or suffix operation will be performed first followed by search and replace operation. Select the AD connection already configured from Options Connections Active Directory from the available drop down list for Active Directory from where the Windows account name will be retrieved from. It is possible to test the configuration by clicking the Generate ID button and selecting the primary user that would be selected during the smart card issuance. For example, if the primary user that would be selected has a Windows account name of: VERSASECSECURI\adminrole then from the configured settings in this example the user that would be retrieved would be: VERSASECSECURI\adminrole2 Click the Test button and a success dialog will be shown indicating that the settings are correctly configured. Click the Save button to save the template. c) If Generate (Apply prefix/suffix to UPN) is selected then it will be possible to configure what prefix or suffix that can be added to a specific Windows UPN. Additionally it is possible to perform a search and replace operations on the Windows UPN in order to derive the user ID from the selected primary user during the smart card issuance. If both options are configured then the prefix or suffix operation will be performed first followed by search and replace operation. Select the AD connection already configured from Options Connections Active Directory from the available drop down list for Active Directory from where the Windows UPN will be retrieved from. It is possible to test the configuration by clicking the Generate ID button and selecting the primary user that would be selected during the smart card issuance. For example, if the primary user that would be selected has a Windows UPN of: adminrole@versasec.com then from the configured settings in this example the user that would be retrieved would be: adminrole2@versasec.com Click the Test button and a success dialog will be shown indicating that the settings are correctly configured. Click the Save button to save the template. vsec:cms versasec.com 175(338)

176 d) If Select (Manually select user ID) is selected then it will be possible to manually select the user during a manual smart card issuance. A manual smart card issuance can be performed from the Actions Certificate/keys page. This work flow is described below in the section Manually Issue Certificate with Multiple Roles. From the Select user ID using drop down list the directory that the user will be selected from when manually issuing the certificate for them. e) If From variable (ID stored in a variable) is selected then it will be possible to retrieve the users DN from an attribute value and then use this value to issue a certificate for this user in another AD. f) If From query (Run LDAP query to retrieve DN) is selected then it will be possible to retrieve a unique attribute value that can be used to find a user in another AD. 7. Click the Save button to save the template. 8. From the Role templates drop down list select the role(s) templates configured and click the Add button. Click Ok to save and close. Automatic Certificate Issuance with Multiple Roles Once the multiple role templates have been configured as described in the previous section it is necessary to complete the configuration for the smart card template. Enable the Enroll certificate(s) check box and click the Add button. From the User ID drop down list select the Standard User ID option. This is the primary user that will be selected during the smart card issuance process. Select the certificate authority that will issue the certificate from the Certificate authority drop down list and select the certificate template that will be used. Click Ok to save and close. Click the Add button to add additional certificate. From the User ID drop down list select the role configured as described in the section Smart Card Template to Support Multiple Roles above. This will be the Windows account that will be derived from the primary user selected, which is the Standard User ID configured, during the smart card issuance process. Select the certificate authority that will issue the certificate from the Certificate authority drop down list and select the certificate template that will be used. Click Ok to save and close. Click Ok to save and close the template. Manually Issue Certificate with Multiple Roles If it is required to issue additional certificate(s) for a user who has multiple roles in an organization but where it is not possible to configure a role to derive a Windows user account from, then it is possible to configure and issue a certificate using the S-Series. Firstly a role will need to be configured as described in the section 6(d) from Smart Card Template to Support Multiple Roles above. Then from the Actions Certificates/keys page and with an already issued smart card attached select the template from the drop down list and click the Issue button. From the User ID drop down list select the role configured. Select the certificate authority that will issue the certificate from the Certificate authority drop down list and select the certificate template that will be used. Click Ok to continue. When prompted enter the user that the certificate should be issued for and click Ok to begin the issuance process. This completes the issuance. vsec:cms versasec.com 176(338)

177 Multiple PINs From Microsoft mindriver specification version 7, it is possible to configure and edit the PIN types that can be set on smart cards that support multiple PIN s. Browse to Templates Card Templates and select the template configured for multiple PIN support. Multiple PIN support is enabled from the General page of the card template. From the Issue Card page, click the Add button in the Enroll Certificates section. Here a number of PIN types are configured. Click Manage and by default, a number of PIN type templates are pre-configured. It is possible to add, delete and edit templates from this dialog. It is possible to configure several options for a PIN type template. This is best understood by using an example of adding a template. Click the Add button to open the PIN type configuration dialog. Enter a template name and for Card type select from the drop down list. From the drop down list for Purpose a number of options are available. These are Authentication PIN, Digital Signature PIN, Encryption PIN, Non Repudiation PIN and Administrator. Depending on the private key operation, the Windows operating system or application that is using the smart card will present a dialog, for example, requesting the PIN for authentication if the user is performing Windows smart card logon. From the drop down list for PIN Type a number of options are available. These are Regular PIN: the normal alpha/numeric PIN set for private key operations. External PIN(Bio or Pinpad): the PIN will need to be provided as a fingerprint or using an external PIN pad reader. Challenge/Response PIN: the PIN will be provided as a challenge/response to authenticate the user. No PIN: no PIN entry will be required. From the drop down list for Cache a number of options are available. Normal: normal cache behavior in the CSP. Timed: time based cache in CSP. The validity is set as a parameter in milliseconds. Not cached: no cache for the user smart card in CSP. Always prompt: always prompt the user for their smart card PIN. From the drop down list for PIN Policy, select the PIN policy that will be set and associated with the PIN. Click the Manage button to edit the PIN policy configuration. vsec:cms versasec.com 177(338)

178 Manage ID Types It is possible to configure the user ID types used for users who smart card tokens will be issued to in the S-Series. User Directory Types When the S-Series is configured to use an AD for user provisioning then it is possible to configure the retrieval of additional user attribute values from the AD. These attribute values can then be used to be associated with variables used as placeholders. For example, if the smart card is used in printing on the smart card during the issuance process it may be necessary to print additional information about the user onto the smart card. This additional information can be retrieved from attributes store in AD for the user. To associate these variables to an AD attribute select the card template and click the Edit button and click the Edit link for Issue Card. Click the Manage button in the User ID Options section and select the AD template and click Edit. A dialog similar to below will be shown. Click the Edit button in the Variable(s) section which will display a dialog similar to below. In this example the variable name ${User } is associated with the AD attribute name mail. In AD the attribute name mail will contain the user s actual address, if this attribute is set in vsec:cms versasec.com 178(338)

179 AD. Click Ok to save the association. Then from the ID Assign dialog it is possible to test this with an actual user. Click the Get ID button to search AD for a user. Select a user and click the Edit button in the Variable(s) section. Click the Test button. If the user has an entry in the AD attribute information similar to below will be shown. Simple String Types Issuing smart cards where the card template is set to assign a user identifier as Simple ID String allows an operator to set a string identifier that will be used to identify who the issued smart card was issued to. It is possible to configure the length that the ID string identifier can be by selecting the card template and clicking the Edit button and clicking the Edit link for Issue Card. Click the Manage button in the User ID Options section and select the Simple ID String and click Edit. The dialog below will be shown. Enter the length that the identifier is allowed to be in the Length of generated ID string and click Save to save and close. vsec:cms versasec.com 179(338)

180 Plugins The vsec:cms Plugin API enables integration with the vsec:cms lifecycle processes. The plugins make it possible to customize the smart card management lifecycle processes and add/modify tasks for each lifecycle process, for example, load applets, create and/or edit files on the smart card, generate keys, load credentials and report lifecycle changes to external systems. For full details, including sample code and examples, please contact Versasec. vsec:cms versasec.com 180(338)

181 Key Archival and Key Recovery Key archival and key recovery configuration is covered in this section. Key archival is the storing of a private key of a certificate such that it can be recovered at a future time if required. Key recovery does not recover encrypted data or messages, but does enable a user or administrator to recover keys that can subsequently be used for data recovery, that is, data decryption. Keys that are archived will be associated with the DN of the user, the card template used and the card key container that the card was issued to. Therefore it will only be possible to restore keys to the particular user DN that the original key was archived for. Follow the instructions below to configure key archival and key recovery in the S-Series. Note: If the S-Series is used to archive and retrieve keys then all archived keys created by the S- Series are stored encrypted in the S-Series database with a 128-bit AES key. The AES key is created when you initialize the S-Series on first use and stored encrypted in the CMS database using a key diversified by the master key of the S-Series. The master key is stored on the operator card and the access to it is PIN protected. At runtime the AES key is held in memory of the Windows service that the S-Series is running under. Note: When an archived key is being recovered the S-Series will always restore the certificate that was issued originally for that key. Important: Key archival and key recovery in the S-Series has the following implementation: There is no support for Microsoft Key Recovery Agent (KRA); It is not possible to export and/or import PKCS#12 certificate files for key archiving; If a card template is configured for multiple role support it will not be possible to configure key archival in this case; Advanced transaction log search filtering for key specific transactions is not supported; The implementation only supports RSA keys. Key Archival To configure a key archival card template follow the instructions in this section. If you are using an Entrust CA see the section below for details on how to configure support for 1. Create a new card template as described in Create Card Template above. 2. Click the Edit link beside Issue Card. Under the User ID Options section enable the Assign user ID checkbox and select the user directory template for users that will be issued with smart cards. In the Enroll Certificate Options section enable Enroll certificate(s) checkbox and click Add to add a certificate template. 3. Enable Generate new key radio button and select the CA from the drop down list. Check the archive key check box. Enable the restore if already archived if it is required that during the issuance the S-Series will check the key archive repository to determine if an archived key already exist for the user. If an archived key already exists for this user in this case the S- Series will use this key when generating the certificate. Also if there is more than one archived key for the user the S-Series will automatically select the most recently archived key in this case. vsec:cms versasec.com 181(338)

182 4. Click Ok to save the settings. Once the steps above are configured for a template when it is required to recover a key, it will be necessary for the smart card that is to have its key recovered be in the possession of the operator. From the Actions Certificates/Keys page and with the smart card attached the operator should click the Recover button. The operator will be prompted to select the archived key that is to be recovered during the recovery flow to complete the recovery. If an Entrust CA is used the configuration settings will be different from what is available if a MS CA is used. The archive key option will be automatically enabled but it will not be possible to disable this if the archive key feature is enabled from the CA connection template. Enable the generate new key option if it is required that a new key is generated when a card is issued. Enable the restore last option if it is required that key(s) already archived should be restored when the card is issued in a restore flow. Enter the number of key(s) that should be restored in the field available. vsec:cms versasec.com 182(338)

183 Important: If key archival is used in an Entrust CA configuration in the S-Series it will be necessary to enable registry keys to support this since the CSP used is MS base smart card crypto provider which by default disables the importing of encryption keys on to smart cards. On 64 bit operating systems enable the following registry keys: [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Defaults\Provid er\microsoft Base Smart Card Crypto Provider] "AllowPrivateSignatureKeyImport"=dword: "AllowPrivateExchangeKeyImport"=dword: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider] "AllowPrivateSignatureKeyImport"=dword: "AllowPrivateExchangeKeyImport"=dword: On 32 bit operating systems enable the following registry keys: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider] "AllowPrivateSignatureKeyImport"=dword: "AllowPrivateExchangeKeyImport"=dword: Key Recovery To configure a key recovery card template follow the instructions in this section. 1. Create a new card template as described in Create Card Template above. 2. Click the Edit link beside Issue Card. Under the User ID Options section enable the Assign user ID checkbox and select the user directory template for users that will be issued with vsec:cms versasec.com 183(338)

184 smart cards. In the Enroll Certificate Options section enable Enroll certificate(s) checkbox and click Add to add a certificate template. 3. Enable Restore key from archive radio button and select the template that the key will be recovered from the Key to restore drop down list. Click Ok to save the settings. Key Archive Housekeeping From the Repository Archived Keys page the archived keys will be listed. If it is required to delete an archived key, for example a key may no longer be used or a key may have been replaced by another key, select the key and click the Delete button. This will result in the key being removed from the S-Series database. Therefore it will not be possible to restore the deleted key if required in the future. It is possible to configure a key recovery role that can be configured for a particular operator, thereby controlling what operations an operator can perform around key recovery. From the Options Roles page it is possible to configure these settings. vsec:cms versasec.com 184(338)

185 Encode RFID Smart Card It is possible to configure the S-Series to encode RFID chips during the issuance process. Supported RFID Smart Cards Currently, the S-Series supports the management of the following RFID protocols: Mifare Classic 4k; Mifare DESFIRE EV1. Supported Contactless Card Readers The S-Series has been validated to work with the following contactless card readers: HID Omnikey 5121; HID Omnikey RFID Serial Number Representation An RFID serial number can be represented in 4 different ways. These are Hexadecimal Standard, Hexadecimal Reversed, Decimal Standard (4 byte), and Decimal Reversed (4 byte). This representation is for HID Prox or iclass Wiegand (26 bit or 37 bit) RFID chips. By default the S-Series represents the RFID serial number as Hexadecimal Standard. If it is required to change the representation to any of the other types then this can be done at the variable level. There are two ways in how to retrieve the RFID serial number value depending on how the RFID value should be represented. This will be described by 2 examples. Example 1: If is required that the RFID serial number is to be extracted from the system during smart card issuance as decimal reversed representation then from data export configure the variable {$RfidCsnDecRev} to be used to extract the value during issuance. Example 2: If is required that the RFID serial number is to be extracted from the system post smart card issuance as hexadecimal reversed representation then add the variable {$ DbCardsRfidCsnHexRev} to the Repository Smart Cards view or extract the value through Repository Reports. Configure RFID Support Follow these steps to configure a smart card template that supports RFID encoding. The first step is to create a smart card template with support for RFID. From Templates Card Templates click the Add button and click the Edit link beside General. Enter a name for the template and attach an RFID smart and click the Detect button. A dialog will appear and the smart card reader that the RFID smart card is inserted into should be selected. Click OK to select the card type and click OK to save the template. Click the Edit link beside Issue card and in the Contactless section enable the Encode RFID checkbox. Click the Manage button to configure the template. Click the Add button to add a new template. Enter a name for the template and select either RFID (Mifare classic) or RFID (Mifare Desfire EV1) from the drop down list depending on the RFID that is to be used. Enter the Key(s) and enable the hide characters if you do not want the key values displayed. Click the Save button which will require operator authentication to complete. Please refer to the section below which describes in more detail about RFID. Select the template from the drop down list in the contactless section and click OK to save. vsec:cms versasec.com 185(338)

186 RFID Implementation In order to use RFID smart cards, the MIFARE Classic 4K and DESFIRE EV1 are supported by the S-Series. Security keys (key A and key B for MIFARE Classic 4K and Key R (read) and Key W (write) for DESFIRE EV1) are required. The following smart card operations require such keys: Change the keys on the smart card; Authenticate using the keys to the smart card to get READ and/or WRITE access. These keys need to be managed by the S-Series. Security Considerations The cryptography, which is the authentication with the smart card and encryption of the Radio Frequency (RF) communication, is done in the smart card reader. This means the keys need to be sent to the smart card reader when operating with the smart card. Since the keys also need to be shared with other components in the IT infrastructure, such as door lock readers, the S-Series provides the possibility to import and/or export the key material. Two important areas around the key security that need to be highlighted are: Import and/or export of key material is performed in the clear in the S-Series; The keys are sent in the clear to the smart card reader through the PC/SC protocol. Key Security in S-Series The S-Series protects the keys against the following vulnerabilities: Extracting the keys from the S-Series database; Unauthorized export of the keys from the S-Series database; Extracting the keys from memory while using the keys at application runtime. The keys are protected in the S-Series as follows: When storing the keys in the S-Series database, the key material is encrypted with a 3DES key which is derived from a master key stored on the operator smart card, access to which is protected by the operator PIN. This master key is a random key and different for each S- Series customer. This means: o It is only possible to decrypt the keys within the organization where the keys was o encrypted; When it is required to save and/or export the keys from the S-Series, it will be required to have an operator smart card available and knowledge of the operator PIN to successfully authenticate to the card. Whenever the keys are decrypted, i.e. when it is required to perform operation with them, the keys are obfuscated in memory. The keys will be removed from memory when access to the keys is no longer required. For further details on how to use the S-Series with the management of RFID chips please contact Versasec. vsec:cms versasec.com 186(338)

187 Temporary Card Template It is possible to configure temporary card template(s) that will allow a template to be used to issue a temporary card for a user to cover scenarios such as when a user forgets to bring their smart card to their place of work. The temporary card template will be linked to the original card template used to issue their card, which will be referred to as the primary card template in this section. This will mean that when a temporary card is issued to a user the primary card template will receive notification to, for example, put the primary card certificate on hold on the CA. Below a simple example will be used to describe how to setup a temporary card flow in the S- Series. A Windows smart card logon certificate will be issued to a user to allow them to perform strong two-factor Windows domain authentication in this example. Step 1 Create Primary Card Template Create a card template that will be referred to as the primary card template. From Templates Card Templates click the Add button. Click the Edit link beside General and enter a template name of Primary Card Template. Click the Configure button for Dependent smart card template and make sure that the configuration is as below. vsec:cms versasec.com 187(338)

188 Click Ok to save the settings and close the General dialog. Now click the Edit link beside Issue. vsec:cms versasec.com 188(338)

189 In this example enable Assign user ID and select an AD connection already configured. Enable Enroll certificate(s) and click the Add button to add a certificate template from your CA, a Windows smart card logon certificate in this case. Click Ok to save the settings for this dialog and close. Now click the Edit link beside Inactivate Card. Make sure to enable the Update certificate status at CA check box. This will notify the CA to put the certificate on hold when we issue a temporary card for the user. Click Ok to save. Finally click the Edit link beside Activate Card. Make sure to enable the check box Update certificate status at CA. This will notify the CA to reinstate the certificate that was on hold when the temporary card is revoked from the S-Series. Step 2 Create Temporary Card Template Create a card template that will be referred to as the temporary card template. From Templates Card Templates click the Add button. Click the Edit link beside General and enter a template name of Temporary Card Template. vsec:cms versasec.com 189(338)

190 vsec:cms versasec.com 190(338)

191 Enable the This template is depending on check box and select the primary card template already configured in step 1. Enable the Allow normal smart card issuance check box which will mean that it will be possible to issue a temporary card from the normal lifecycle page of the S-Series. If this option is not enabled it will only be possible to issue temporary cards from the Actions Temporary Smart Card page. Click the Configure button for Dependent smart card template and make sure that the configuration is as below. For Issue Card select Inactivate. This will mean that when the temporary card is issued the primary issued card certificate will be put on hold on the CA. For Revoke Card select Activate. This will mean that when the temporary card is revoked the temporary card will be activated again on the CA. Click Ok to save the settings and close the General dialog. Now click the Edit link beside Issue. vsec:cms versasec.com 191(338)

192 In this example enable Assign user ID and select an AD connection already configured. Enable Enroll certificate(s) and click the Add button to add a certificate template from your CA. Click Ok to save the settings for this dialog and close. This completes the configuration of both templates. Step 3 Issue Primary Card Issue a card using the Primary Card Template as normal and initiate the card, i.e. set a PIN code on the card after issuance so it is in an active state. vsec:cms versasec.com 192(338)

193 Step 4 Issue Temporary Card When the scenario arises that the card holder issued in Step 3 (Bob Smith in this example) arrives to his workplace having forgotten his card a temporary card will need to be issued. There are two options available to the operator in this case: Option 1 Issue the Temporary Card from Lifecycle Note: It will only be possible to issue the temporary card template from the Lifecycle page if the Allow normal smart card issuance check box was enabled as described in Step 2 above. From the Lifecycle page attach a blank smart card and click the Issued oval as normal and select the Temporary card Template as created in Step 2. After successfully issuing the temporary card a short summary similar to above will be presented indicating what operations have been performed. As can be seen in this example the temporary card was issued and the primary card was inactivated on the system meaning that on the CA the certificate was put on Hold thereby rendering it inactive. If the user attempts to use the primary card now it should not be able to log onto their Windows domain. Important: The CA will of course need to be setup such that all certificates that are put on hold are updated on the PKI system either by publishing a new CRL or using an OCSP service. This is beyond the scope of the S-Series. Please ensure that your PKI administrators configure this to ensure compliance for this type of work flow. The user can now use the temporary card to log onto their Windows domain. Typically the temporary card certificate would be given a short validity period of 1 day. Note: It is possible to validate that the primary certificate was put on hold on the CA from the CA console. On MS certificate services console (certsrv.msc) browse to the Revoked folder where you should see the certificate that was issued for the primary card in Step 3 on hold. Options 2 Issue the Temporary Card from Actions From the Actions Temporary Smart Card click the Search button and select the user who we wish to issue a temporary card for. vsec:cms versasec.com 193(338)

194 Attach a blank smart card and select the temporary card template from the Smart card template drop down list. You will notice that the current state of the primary card is shown in the state diagram and further information about this primary card is displayed in the window above the state diagram. Click the Issue button to start the issuance. After successfully issuing the temporary card a short summary similar to above will be presented indicating what operations have been performed. As can be seen in this example the temporary card was issued and the primary card was inactivated on the system meaning that on the CA the certificate was put on Hold thereby rendering it inactive. If the user attempts to use the primary card now it should not be able to log onto their Windows domain. Important: The CA will of course need to be setup such that all certificates that are put on hold are updated on the PKI system either by publishing a new CRL or using an OCSP service. This is beyond the scope of the S-Series. Please ensure that your PKI administrators configure this to ensure compliance for this type of work flow. The user can now use the temporary card to log onto their Windows domain. Typically the temporary card certificate would be given a short validity period of 1 day. vsec:cms versasec.com 194(338)

195 Note: It is possible to validate that the primary certificate was put on hold on the CA from the CA console. On MS certificate services console (certsrv.msc) browse to the Revoked folder where you should see the certificate that was issued for the primary card in Step 3 on hold. The state diagram will also update showing that the primary card is now in an inactive state as in the example diagram below. Step 5 Revoke Temporary Card When the user returns to their workplace on the next day with possession of their primary smart card then they can reactivate their primary card. The temporary card should also be revoked and retired from the system. In order to do this the operator should navigate to the Lifecycle page and attach the temporary card and click the Retired oval which will also revoke the card. At the end of the process a short summary will be displayed indicating that the temporary card was revoked and that the primary card was put into an activate state along with its certificate. vsec:cms versasec.com 195(338)

196 Configure Root and Sub CA Import It may be necessary to import the root and sub CA certificates to the smart card during the issuance process. Follow the instructions in this section that will describe how this can be configured in the S-Series. 1. From the Options Connections page click Certificate Authorities and select an already created CA template that will be used for issuing the smart card certificates. When the template is selected, summary information about this template is displayed in the window below the template window. As in the example below information about the file name for the certificate list is shown. Make a note of this file name ( 000f0001.certlist in the example below) as this will be required in next step. 2. Navigate to the location where the S-Series is installed. If the default location for the installation was used then navigate to C:\Program Files (x86)\versasec\vsec_cms S- Series\cms_db\certificates and create a certlist file with the name retrieved from step one above. In this example the file name is 000f0001.certlist. 3. The certlist file created in step 2 will contain information about the location of the root and sub CA(s) that need to be written to the smart card during smart card issuance. The content of the file should look as sample file below. <?xml version="1.0" encoding="utf-8"?> <files> <certificates> <e file="c:\certs\root.cer"/> <e file="c:\certs\sub_ca1.cer"/> </certificates> </files> 4. In the sample certlist file the location of the root and sub CA(s) need to be configured to point to the file location as highlighted in yellow above. 5. From the Templates Card Templates page select the card template that will write the root and sub CA(s) and click the Edit link for Issue Card. In the Enroll Certificates Options section enable the Import Root/SubCA certificate(s) to smart card check box to complete the configuration. vsec:cms versasec.com 196(338)

197 Configure PKCS#12 Certificate Database Follow the instructions in this section to configure a database file that can be used when issuing smart card tokens with certificates that are stored as PKCS#12 or PFX files. Important: Currently it is possible to configure this feature for CA connections that are configured for Entrust and PKCS#12 support. A number of steps need to be configured in order to use this functionality. Firstly configuration information needs to be added to a certificate list file. The certificate list file should be created in the cms_db\certificates folder located where the S-Series is installed. The name of the certificate list file needs to be the internal name of the CA template as set by the S-Series. You will find the name of the template by selecting the template from the Options Connections page. For example, below we have a PKCS#12 Connection Template. The filename in this example would be: 000f0006.certlist Below is a simple example of what contents should be provided in the file. <?xml version="1.0" encoding="utf-8"?> <files> <pkcs12> <e file="pkcs12_example1.db"/> </pkcs12> </files> In this example we have a pkcs12 section where you define the location of the database file. The database file in this example will reside in the default folder cms_db\certificates. The name of the database file is pkcs12_example1.db. It is also possible to configure location of the database file depending on where it is located as in sample below: vsec:cms versasec.com 197(338)

198 <e file="..\pkcs12_example2.db"/> <e file="c:\mypkcs12databsefile\pkcs12_example3.db"/> The database file will contain the information for the PKCS12 files that are to be imported. An example file is provide below: <?xml version="1.0" encoding="utf-8"?> <data> <e id="cn=john Doe,CN=Users,DC=example,DC=com"> <v name="verification" file="johndoe_verification_cert.p12"/> <v name="encryption" file=" c:\mypkcs12files\ johndoe_enc_cert.p12"/> </e> </data> The <data> tag provides the details for the user DN as expected by the S-Series and the template name, Verification and Encryption in this example. The template name is the name of the certificate template(s) as configured on the CA. For example for an Entrust CA these template names will be seen from the Enroll Certificate Options section of the card template used. The names as configured here are case sensitive. The location of the PKCS12 files to be used is configured here also. The base location for the PKCS12 files is the location where the database file resides. vsec:cms versasec.com 198(338)

199 Configure S-Series Service for Windows User Account This section will describe how to configure the S-Series service account to run under a specified Windows user account. By default the S-Series is configured to run under the Windows SYSTEM account. For setups whereby the USS is used to issue and/or renew certificates for managed user smart cards it will be necessary to configure the S-Series service to run under a different Windows user account. It is recommended to create a dedicated Windows user account solely to be used for the S-Series service. This specific Windows user account will then be used as the Enrollment Agent which is needed to issue and/or renew certificates on behalf of users. Step 1 Create Windows Account It is recommended to create a dedicated Windows account for the S-Series service. This account should only be used for the S-Series service. The Windows account does not need to be a specific type; therefore, domain user type is sufficient but you will need to configure specific permissions for this account as described below in step 3. Important: It is recommended to configure the Windows account password to never expire. If the dedicated Windows account password is not configured to never expire then the S-Series service will fail to start if the Windows password is changed. In this case it will be necessary to update the credential as described in step 2 below. Step 2 Configure S-Series Service Once a dedicated Windows account is created in Step 1 open up Windows service, services.msc, and stop the service vsec:cms Service. Then right click the service vsec:cms Service and select Properties. Go to the Log On tab and select This account radio button. Click the Browse button and select the Windows user account created in Step 1 and enter the password for this user and click Apply. vsec:cms versasec.com 199(338)

200 Step 3 Configure Windows Permissions It will be required to give full control to the dat folder of the S-Series for the Windows user account created in Step 1. The dat folder will typically be located in the location where the S- Series was installed, typically C:\Program Files (x86)\versasec\vsec_cms S-Series if the default location was chosen during installation. Right click the dat folder and select Properties. Go to the Security tab and click the Edit button and add the specific Windows user account created in Step 1. Give the user full control and click Apply. vsec:cms versasec.com 200(338)

201 Additionally, it will be necessary to configure specific permissions to a registry folder for this Windows account. Open regedit and browse to below location: [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Versatile Security\vSEC_CMS_T\Service] Right click on the Service folder and select Permissions. Click the Add button and add the Windows user created in step 1 and give them full control as in example dialog below and click Apply and close. vsec:cms versasec.com 201(338)

202 Start the vsec:cms Service from the Windows service in Step 2. Now the S-Series service will run under the specific Windows account. Important: If the S-Series is configured to use MS SQL as the database it will be required to add this Windows user account created in Step 1 to the MS SQL database. vsec:cms versasec.com 202(338)

203 Miscellaneous Settings Home The Home screen is displayed when an operator logs onto the S-Series. From the Home screen information on the license, the number of smart cards managed by the S-Series, the expiration of the enrollment agent certificate, operator token and supported smart cards is presented.. Also, from the status bar it is possible to see how many operators are logged into the S-Series from the bottom left hand side and whether an enrollment agent certificate is installed and is valid for the particular operator that is logged on from the bottom right hand side. License information Information regarding who the license was issued to as well as the maximum amount of user cards that can be managed with the S-Series is displayed. The screen also shows how many user cards have already been issued/registered and how many more cards can be issued/registered. Additionally, if a connection to a CA is configured that has an enrollment agent certificate, the expiration date for this certificate is displayed here. Operator Token Information Information about the version of the S-Series is provided here along with details on capacity used on the smart. More details can be viewed by clicking the More information about your Operator Token link which will display specific details about the hardware token. Supported Smart Cards Details about the supported smart cards are listed in this section. vsec:cms versasec.com 203(338)

204 Disaster Key Change In the scenario whereby an S-Series operator smart card token gets lost and/or stolen it is recommended to generate a new master key such that the lost and/or stolen S-Series operator token becomes unusable. It will be required to generate new master keys for all registered user smart cards from the lost and/or stolen S-Series token. The procedure would be for one operator to generate a new master key, which will then be set securely to the other S-Series operator smart card tokens on the system when they connect to the S-Series service on next use. Then it is required to update the user smart cards with a new diversified key. vsec:cms versasec.com 204(338)

205 System Status In the bottom right of the main S-Series application dialog a circle image is present which indicates the health of the application. The health state of the application can be in three states as indicated by color: Green: System health: OK Yellow: System health: Warning(s) Red: System health: Error(s) If the circle is showing as yellow or red then it will be possible to open a dialog by clicking on the circle icon. The dialog presented will describe what settings need action. On opening this dialog, select an entry and click the Details button for more detailed information. Click the Acknowledge button, if enabled, to remove the message from the system. The following health checks will be performed by the S-Series: Note: The ID as shown in the table corresponds to the ID as shown in the System Status dialog. ID Health Check Performed Description & Action Required Reported As 1 Scheduled backup Reports problems when scheduled backup fails. Red 2 Operator Service Card (OSC) Tip: Check the Options Settings Backup Settings to ensure configuration is correct. If OSC is configured, but the OSC is not functioning. Tip: Check the Options Operators page to ensure OSC is available and activated. Yellow 3 Invalid backup configuration If backup is enabled but no backup folder configured. Red Tip: Check the Options Settings Backup Settings to ensure configuration is correct. 4 Revoke cache There are pending revocation requests in the application cache. Yellow Tip: Check the Options Connections page and in the Certificate Authorities section click the link for Number of certificates to revoke. Also check that connectivity to the CA is functioning. 5 Export cache There are pending data export requests in the application cache. Yellow Tip: Check the Options Connections page and in the Data Export section click the link for Number of pending requests. 6 Event cache There are pending Window events that exist in the application cache. Yellow Tip: Check the Options Connections page vsec:cms versasec.com 205(338)

206 and in the External Trace section click the link for Pending packages. 7 Image capture Check all card templates available for the current logged on operator. If there are templates which do contain photo capturing but there is no photo capture device configured for the current client machine. Tip: Check the Options Connections page and click the Configure button for Photo Capture from where the photo capture device can be configured. 8 EA certificate Checks all card templates available for the current logged on operator. If there are templates which are configured to do certificate enrollment using MS CA with signed requests but the configured EA certificate cannot be found and/or is not on current operator token. Tip: Check the Options Connections page and click the Configure button for Certificate Authorities. Select the CA template and ensure that an EA certificate is configured in the Enrollment Agent section. 9 Smart card printer Checks all card templates available for the current logged on operator. If there are templates which are configured for card printing but there is no printer configured and/or online for the current client machine. Tip: Check the Options Connections page and click the Configure button for Smart Card Printer and ensure that the configuration is correct. 10 User license low If the user license count is less than 10% this will be flagged as a warning to the operator. Tip: Purchase additional user licenses if required. 11 User license out If the user license count is zero this will be flagged as an error to the operator. Tip: It will not be possible to manage any additional smart card tokens when in this state. It will be necessary to purchase additional user licenses. 12 Operator license low If the operator license count is less than 10% this will be flagged as a warning to the operator. Tip: Purchase additional operator licenses if required. Yellow Yellow Yellow Yellow Red Yellow 13 Operator license out If the operator license count is zero this will Red vsec:cms versasec.com 206(338)

207 be flagged as an error to the operator. Tip: It will not be possible to add additional operators when in this state. It will be necessary to purchase additional operator licenses. 15 Minidriver check If the attached operator card is available and it is a PC/SC smart card, the application checks if a minidriver is available for this smart card. In addition, checks for Gemalto.NET and IDPrime smart cards are performed. Tip: It will be necessary to install the latest Gemalto minidriver on the machine. 16 DB Disk Space Low If the hard disk space available on the machine where the S-Series is installed, or the flash encrypted disk space for the T- Series, is 2 times the size of the current database size then this will be flagged as a warning to the operator. Tip: Remove and/or clean up file system to create more space if required. 17 DB Disk Space Out If the hard disk space available on the machine where the S-Series is installed, or the flash encrypted disk space for the T- Series, is 1 times the size of the current database size then this will be flagged as an error to the operator. Tip: Remove and/or clean up file system to create more space if required. 18 Operator Card Space Low If the space available on the operator token smart card is less than 4500 bytes this will be flagged as a warning to the operator. Tip: Remove and/or clean up file system on the operator smart card token. 19 Operator Card Space Out If the space available on the operator token smart card is less than 2000 bytes this will be flagged as an error to the operator. 20 No minidriver available for user smart card inserted 24 Self-Service service not configured Tip: Remove and/or clean up file system on the operator smart card token. If there is no available minidriver for the attached user smart card that is to be managed by the S-Series. Tip: It will be necessary to install the smart card vendor minidriver on the machine where the S-Series is running. If the self-service featured is licensed but not configured. Tip: Check the Options Connections page Yellow Yellow Red Yellow Red Yellow Yellow vsec:cms versasec.com 207(338)

208 23 Self-Service service not running and click the Configure button for User Self- Service and ensure that the configuration is correct. If self-service is licensed and configured but the service is not running. Tip: Check the Windows services and ensure that vsec:cms - User Self-Service service is running. 25 Corrupted variable If an imported variable is configured but the imported database is not available. Tip: Check the Options Connections page and click the Configure button for Variables and ensure that the configuration is correct for the reported variable. 26 Updating repository table If the S-Series has been upgraded from version 3.1 the certificate expiry field in the smart card repository table in the database for version 3.1 was not set correctly. Therefore it is necessary to update the table in version 3.2 to the correct expiry date for the issued certificates. Tip: Operator should allow this update to complete. This update will run in a background thread. 27 Untrusted plugin enabled If the loading of unsigned DLL plugins is configured from the Options Security page this warning will be displayed. Typically unsigned DLLs would be enabled when testing a plugin. Tip: It is recommended to not have this feature enabled in a production environment. 28 Reserved for future use This ID is assigned to a future feature that is not yet implemented in the product. 29 Untrusted plugin loaded If the loading of unsigned DLL plugins is configured from the Options Security page and an unsigned DLL is loaded then this warning will be displayed. Tip: It is recommended to not have an unsigned DLL loaded in a production environment. 30 Key archival not working If the key archival mechanism is not initialized correctly an error will appear. 31 Configured certificates not found Tip: Contact Versasec if this message appears for details on how to resolve. This warning message will appear if a card template is configured to import root and/or sub CA files or PKCS#12 files incorrectly. Tip: Make sure the instructions as described Yellow Red Yellow Yellow Yellow Red Yellow vsec:cms versasec.com 208(338)

209 in this administration guide are followed when configuring import of root and/or sub CA files or PKCS#12 files. 32 Card expiration This warning message will appear if management of supported PIV cards are configured but a short expiration period is set. Tip: Go to the Options PIV page and ensure that the selected signing certificate is valid for the configuration set. Yellow 33 PIV Signer not functional PIV smart card issuance is not possible. Yellow 34 PIV Signer cert going to expire 35 Operator Service Key Store (OSKS) not functioning PIV smart card issuance is not possible because of short validity time. This error message will appear if the system fails to initialize OSKS. Tip: Activate the OSKS from Options Operators page. 36 No issuer DN configured This warning will appear if there is no issuer DN configured for the CAs connection listed. 37 No Operator Card Authentication keys Tip: Navigate to Options Connections and select the CA template that is reported in the message and click the Edit button. Click the second Get button and select the DN and click Ok. This warning message will appear if there is no authentication keys configured for the operator card(s) list. Tip: Attach the listed operator card and go to the Options Operators page and click the Update Keys button to add. It will be necessary to have a key, such as a certificate, on the operator card to complete the update. 38 Reserved for future use This ID is assigned to a future feature that is not yet implemented in the product. 39 The Operator SOAP server is not running This warning message will appear if the Operator console server is configured but not running. Tip: From Windows service ensure that vsec:cms Operator Console Services is running. 40 Ask for file feature removed This warning will appear if the Ask for file feature was configured previously for data export. This feature is no longer available therefore this message will appear informing the operator. 41 EA certificate signing not This warning message will appear if there are no certificate request signing certificate(s) Yellow Red Yellow Yellow Yellow Yellow Yellow vsec:cms versasec.com 209(338)

210 configured 42 EA signing certificate not found configured. Tip: Go to the Options Operators page and click the Cert request signing button to configure. This warning message will appear if the configured certificate request signing certificate was not found. Tip: Go to the Options Operators page and click the Cert request signing button and ensure that the configured certificate is correct. 43 Reserved for future use This ID is assigned to a future feature that is not yet implemented in the product. 44 Reserved for future use This ID is assigned to a future feature that is not yet implemented in the product. 45 Low system administrator roles This warning message will appear if there is just one operator with the system administrator role configured on the system. If this operator card is lost, destroyed or broken, there is no operator with access rights to assign a new one and therefore the only recovery procedure then is to do a system backup restore. Tip: Add an additional operator token with system administrator role to the system. 46 Template ID s not unique If a card template(s) IDs are not unique this error message will appear. Tip: Contact Versasec if this message appears for details on how to resolve. Yellow Yellow Red vsec:cms versasec.com 210(338)

211 Check for S-Series Updates It is possible to configure the S-Series to check if new software versions are available. This is configured from File Program Settings file menu option. In the section Updates, select the frequency which you require the S-Series to check for updates. When the S-Series starts and the application is configured to check for updates a dialog will be displayed. Click the Do not show this message again checkbox if this message should not be displayed again for the particular notification message. If there is a subsequent update notification for a newer version then a new dialog will be displayed. Click the Disable automatic update checks if it is required to not perform automatic update checks when the S-Series starts. Note: The S-Series server will need to have internet access to use this feature. vsec:cms versasec.com 211(338)

212 Cache Data Export If the S-Series is configured to cache the data that is to be exported from the system, the cached data can be viewed from the Options Connections Data Export. Click the link under the number of pending records to view the data in cache. From the Target to export to drop down list select the target type that the data will be export to. Click the Export button to send the data immediately and remove it from the cache. Select an entry and click the Delete button to delete the selected entry from the cache. The data will not be retrievable once the delete option is selected. Click the Copy button to copy the data as displayed in the table to the system clipboard from where it can be pasted into a file, for example. vsec:cms versasec.com 212(338)

213 Cache CA Revocation Requests The S-Series application will cache certificate revocation requests if the CA is unreachable and the card template is configured to cache revocation request. For example, in the revoke card template it is possible to enable caching of requests. On start-up of the S-Series, the application will check if there is a CA configured and if there are any cached revocation requests it will automatically send them to the CA if it is reachable. In order to view cached revocation requests, browse to Options Connections and in the Certificate Authorities section click the Number of certificates to revoke link. When the CA become available, click the Revoke Now button to send the cached requests to the CA. The CA for which the revocation request needs to be sent to can be seen from the Certificate authority drop down list. If it is required to delete a cached request, select the request and click the Delete button. Click the Copy button to save the contents of the dialog to the system clipboard from where the information can be saved to a text file if required. Important: If a MS CA is used, any Operator who is attempting to revoke a managed user s smart card that contains certificate(s) using the S-Series console will need to have Issue and Manage Certificates permission on the CA to perform this operation. That means the Windows account that the Operator logged on with will need to have these permissions enabled on the CA. For example, if the Operator is using the Windows account Bob A. Smith as in example below this user will need to have the permission set as below. Otherwise the certificate revocation will be put in a queue on the S-Series and will only be revoked when an Operator who does have these permissions logs on and revokes the certificate(s). vsec:cms versasec.com 213(338)

214 Unblock S-Series Operator Passcode For the S-Series, only operators with the permission to unblock can unblock an operator smart card. If an operator card used to log into the S-Series is blocked, follow the steps below to unblock. When an operator attempts to log onto the S-Series application where the operator token is blocked, an unblock operator token dialog is presented. The dialog allows the operator to unblock the passcode by presenting an unblock authentication cryptogram. To calculate the cryptogram the S-Series generates a challenge and prints it in the dialog. To generate the correct cryptogram it is necessary to know or have access to the S-Series token administration key. Note: For the S-Series the Get button will only be available for the System Owner operator card that was created at the initialization phase. If the administration key value is known by the operator click the Get button to calculate the cryptogram. Clicking the Get button will present the Smart Card Unblock dialog. Enter the administration key and click the Calculate Cryptogram button. If the administration key is not known, which for the S-Series typically would be an operator smart card that it manages, it will be necessary to send the challenge together with the token serial number to an operator who has permission to perform smart card unblock. This dialog needs to remain open until the cryptogram is calculated and sent back from the operator. The returned cryptogram needs to be copied into the Cryptogram field. Enter a passcode and confirm it to set a new passcode for the operator and click the OK button to complete. For the S-Series, if any other operator in the system blocks their passcode, it will only be possible for operators with unblock permissions to unblock the operator s smart card passcode. The flow to unblock the operator s smart card passcode is the same as for a normal user smart card that is managed by the S-Series. vsec:cms versasec.com 214(338)

215 Customize Details on Managed Device It is possible to customize certain windows where information about the managed device is displayed. This is a global configuration therefore once this is configured the details that are to be displayed will be the same across all windows. Currently it is possibly to configure this for the Lifecycle page and from the Actions Smart Card Unblock page. For example, from the Lifecycle page right click in the Selected Smart Card window and select Configure. This will present the dialog below with a list of available options. Enable the Show smart card serial number (CSN) to display the smart card token unique serial number. Enable the Show smart card type to display the card template that the current smart card token is issued by. Enable the Show smart card status to display the current status of the smart card token. Enable the Show user ID to display the user identifier that the smart card token is issued to. Enable the Show operator account if the selected smart card token is an operator token which will display the operator account details. Enable the Show certificates to display the details about what certificate(s) are issued to the smart card token. Enable the Show certificate details if further information about what certificate(s) are issued to the smart card token is to be displayed. vsec:cms versasec.com 215(338)

216 Enable the Show user details from directory if additional user attribute information should be displayed about the user who the smart card token is issued to. The additional user details can be configured from the section above. Enable the Show custom fields and click the Custom fields button to customize further details that can be displayed in this window. vsec:cms versasec.com 216(338)

217 Perform Tasks This section will describe all of the operations that an operator can perform for day-to-day management of their smart card token estate. vsec:cms versasec.com 217(338)

218 Action Flows From the Actions section the operator can only perform tasks with smart cards that are already managed by the S-Series. Smart Card Unblock It is possible to perform smart card unblock either when the smart card that is to be unblocked is in possession of the operator or not. When the smart card is in possession of the operator the unblock procedure is referred to as online unblock and when the smart card is not in possession of the operator the procedure is known as offline unblock. Online Unblock If the user smart card is in the possession of the operator it is possible to unblock the user smart card PIN. To unblock the user smart card PIN attach the smart card that is to be unblocked and browse to Actions Smart Card Unblock. From the Smart card inserted in drop down box select the smart card reader that the user smart card is inserted in. If more than one smart card PIN is set, select the PIN that you wish to unblock from the drop down list. Enter a new PIN and confirm and click Unblock button to unblock the user smart card. On clicking the Unblock button the operator will be prompted to enter their passcode. vsec:cms versasec.com 218(338)

219 Offline Unblock When the user smart card is in the possession of the end user it may be necessary to unblock the user smart card when, for example, the user blocks the PIN of the smart card by entering the incorrect PIN more than the allowed maximum number of PIN tries. The mechanism used to unblock the PIN offline is a challenge-response protocol. This operation to unblock a smart card can be used in conjunction with the USS. To unblock the user smart card PIN browse to Actions Smart Card Unblock and click the Search button to find the user for which the offline unblock operation is required. Once the user is selected additional information about the smart card is presented in the Selected Smart Card page. To perform the offline unblock the user that needs to unblock their smart card needs to generate a challenge. Many tools exist to generate a smart card token unblock challenge such as the USS from Versasec or the MS built in credential manager. vsec:cms versasec.com 219(338)

220 The generated challenge needs to be provided to the operator at this stage. Important: The user should not close the application used to generate the unblock challenge code page until the generated unblock cryptogram response code is generated and returned by the operator as there is a one-to-one relationship between the generated challenge and response code. On receiving the challenge from the end user the operator should enter the challenge into the field provided. The operator should then click the Cryptogram button which will prompt the operator to enter their passcode. On presenting the operator passcode the S-Series will generate a cryptogram which should be provided back to the end user. The end user should then enter this cryptogram into the tool already described in the previous above to unblock their smart card and set a new PIN to the smart card. If the application is configured for USS support and the operator is allowed to generate unblock codes search for the user and click the PIN Unblock code. Enter the operator card passcode and if configured the user card PIN unblock code will be displayed in the application console and an of the unblock code can be configured to be sent to the user. The user should then enter this PIN unblock code where prompted in the USS console. Click the Reset passphrase to reset the user s passphrase that is required to be provided by the end user when they unblock their passphrase using the USS console. The self-service template will need to be configured to allow this passphrase reset. The setting System generates passphrase at card issuance will need to be enabled on the self-service template and it will be required that the delivery mechanism, which is , is enabled. Temporary Smart Card It is possible to issue temporary cards from this page if a temporary card template is configured. This will allow an operator to issue a temporary card for a user in scenarios, for example, when a user forgets to bring their already issued card to their workplace office. A temporary card template will need to be configured that is linked to the primary card template. See the section above for more details on how to configure and use this feature. vsec:cms versasec.com 220(338)

221 PIN Policy The end user smart card PIN policy would typically be configured as a smart card template and set during the issuance process. If a user smart card that is in the possession of the operator requires its PIN policy to be set, for example, the PIN policy was not set during the issuance process, then it is possible to set this through the PIN Policy workflow. In order to apply a PIN policy to the user smart card browse to Actions PIN Policy and from the The smart card inserted in drop down box select the smart card reader that the user smart card is inserted in. If more than one smart card PIN is set on the card, select the PIN that you wish to set the PIN policy to. Select the required PIN policy from the Policy Template drop down box and click Set button to set the PIN policy to the smart card. The operator will be prompted to enter their passcode and upon providing this the PIN policy will be set to the smart card. BIO Policy The end user smart card BIO policy would typically be configured as a smart card template and set during the issuance process. If a user smart card that is in the possession of the operator requires its BIO policy to be set, for example the BIO policy was not set during the issuance process then it is possible through the BIO Policy workflow. In order to apply a BIO policy to the user smart card browse to Actions BIO Policy and from the The smart card inserted in drop down box select the smart card reader that the user smart card is inserted in. Select the required BIO policy from the Policy Template drop down box and click Set button to set the BIO policy to the smart card. The operator will be prompted to enter their passcode and upon providing this the BIO policy will be set to the smart card. Certificates/Keys Typically, a user certificate would be issued to the smart card during the issuance process, but if the operator is in possession of the user smart card it is possible to view, import, delete, set default certificate and issue a user certificate to the smart card if the S-Series is configured and connected to a CA. For smart cards that do not support multiple PIN s the view will be described below: To access the certificates on the registered user smart card browse to Actions Certificates/Keys and from the Certificates for the smart card inserted in drop down box select the smart card reader that the user smart card is inserted in. It is possible to view the certificate, set default certificate if more than one certificate resides on the smart card (the rosette symbol beside the certificate will indicate the default certificate), import a certificate from file and delete a certificate. If the S-Series is connected to a CA it is possible to issue a user certificate to the smart card. Enable the option Import Root/SubCA certificate(s) to smart card (see section below for further instructions on this) if it is required to write the Root and SubCAs to the smart card during the issue of the certificate from the CA. The color of the certificate icon in the view table for certificate(s) indicates whether the certificate is the default certificate or not. The icon color will be red to indicate that the certificate is set as default. For smart cards that support multiple PIN s the view will be described below: All of the options available from the previous step will be available with an additional PIN button. Click the PIN button if it is required to change the PIN type set for the certificate key container. In this example, the PIN type is set to Primary smart card PIN. If it is required to change the PIN type to Digital Signature select this option and click OK. vsec:cms versasec.com 221(338)

222 Print Smart Card A registered smart card can be printed with a design layout as configured in the S-Series. Select the printer smart card reader that the user smart card is inserted into from The smart card inserted in drop down field. Select the layout template from the drop down list and click the Print button to print to the smart card or click the Preview button to see a preview of what the printed card will look like. Update Smart Card The Update Smart Card will allow operators to set a new administration key to the user smart card, if the master key of the S-Series is changed. It is recommended to change the administration key set on the registered user smart cards in this case. To access the Update Smart Card option page browse to Actions Update Smart Card and from the Update the smart card inserted in drop down box select the smart card reader that the user smart card is inserted in. In the Planned updates text box a message will appear indicating what update needs to be carried out. Click the Update to start the update. The operator will be prompted to confirm the operation and on clicking yes the passcode prompt will be presented. After the workflow is complete a success dialog will be presented. Smart Card Information It is possible to get detailed information about the user smart card, if required. Browse to Actions Smart Card Information and from the Details for the smart card inserted in drop down box select the smart card reader that the user smart card is inserted in. Consult the smart card manufacturer technical documentation for further details. vsec:cms versasec.com 222(338)

223 Smart Card Token Lifecycle From the Lifecycle page operators can perform the smart card token management tasks. Smart cards managed by the S-Series application have different status depending on where the smart card is in its lifecycle. The S-Series uses workflows to manage the smart card through its lifecycle. From the Lifecycle page, operators can manage the smart card. When an operator opens the Lifecycle page and with a user smart card attached to the host on which the S-Series application is running the diagram will inform them of where the user smart card is in its lifecycle by placing a smart card icon over the oval processes state. For example, from the diagram below it is possible to determine that the attached user smart card is unregistered to the system from the smart card icon which is over the Unegistered oval process in the diagram. When in this state the operator can change the status of the smart card to Registered or Issued as indicated by the dotted smart card icon that appears when you mouse over the oval processes available from the diagram. Register Smart Card Token In order to register a smart card, simply attach a new, unregistered smart card to the system and click the Registered oval process. Click the Execute button if only one smart card is to be registered or the Batch button if more than one smart card is to be registered at a time, which allows for a streamlined registration flow. The registration of the smart card will result in the creation of a new smart card administration key, diversified from the S-Series application master key. This new key will replace the default smart card manufacturer administration key. The smart card PIN(s) will be blocked and any fingerprint(s) will be blocked if the smart card supports this feature. The smart card needs to be connected to the system to perform this task. In order to register a smart card, from the Lifecycle page and with the smart card that is to be registered attached, select the smart card from the Use the smart card inserted in drop down box. The User ID field will be automatically populated with the CSN of the smart card. Click the Registered oval and the application will indicate the workflow by the red arrow and smart card dotted outline. Also the selected process to be performed will be displayed from Selected process(es). Click the X button to deselect the workflow that was selected. Click the Execute button to start the register workflow. If more than one user smart card is required to be registered, click the Batch button. Enter the operator passcode to proceed. After successfully completing the registration a success dialog with a short summary will be presented. vsec:cms versasec.com 223(338)

224 If the Batch button was clicked the operator will be prompted to remove the smart card when the registration is complete and insert a new smart card. To terminate the batch registration, click the Stop button. Issue Smart Card A user smart card status changes to issued when a card template is set on the smart card. Click the Issued oval process and select the card template from the card template list that is to be set on the smart card. Click the Execute button if only one smart card is to be issued or the Batch button if more than one smart card is to be issued at a time, which allows for a streamlined flow. The issue card template that is configured for issue will be set during this workflow. Initiate Smart Card A user smart card status changes to Active when the Initiate smart card option is performed. In this workflow the user smart card PIN will be unblocked and a new PIN set on the card. The smart card can either be connected to the system or disconnected from the system to perform this task. The initiate card template that is configured for initiate will be set during this workflow. Initiate when User Smart Card in possession of Operator If the user smart card that is to be initiated is in possession of the operator, attach the user smart card and click the Active oval to select the operation to be performed. You will notice that the S- Series automatically determines the user ID. Click the Execute button to start the flow. Enter the operator passcode to proceed when prompted. The operator should now enter a new user PIN and confirm this value, or if the user is with the operator, the user can enter their own PIN. The smart card policy requirements set on the smart card need to be satisfied. Enable the Force change at first use checkbox to force the end user to change the smart card passcode when the smart card is used for the first time. A short summary and success dialog will be presented when the operation completes. Initiate when User Smart Card in possession of end user In order to initiate a smart card where the smart card is in the possession of the end user, click the Search button to select the user. It is possible to search for a user by the identifier for the user if known or by the CSN of the card. Select the user and click OK. Click the Active oval to select the operation to be performed. Click the Execute button to start the operation. Enter the operator passcode to proceed when prompted. The end user will need to provide a challenge which the operator should enter into the User smart card challenge field. A checksum is automatically calculated to validate that the challenge entered corresponds to the value received from the end user. Click the Cryptogram button to generate a cryptogram that needs to be sent back to the end user to allow them to unblock the PIN on their smart card. A short summary and success dialog will be presented when the operation completes. Inactivate Smart Card A user smart card status changes to Inactive when the Inactivate smart card option is performed. In this workflow the S-Series application will block access to the registered user smart card administration key i.e. it will not be possible to unblock the user smart card should it become blocked. The smart card can either be connected to the system or disconnected from the system vsec:cms versasec.com 224(338)

225 to perform this task. The inactivate card template that is configured for inactivate will be set during this workflow. Inactivate when User Smart Card in possession of Operator If the user smart card that is to be inactivated is in possession of the operator, attach the user smart card and click the Inactive oval to select the operation to be performed. You will notice that the S-Series automatically determines the user ID. Click the Execute button if only one smart card is to be inactivated or click the Batch button if more than one smart card is to be inactivated. Enter the operator passcode to proceed when prompted. A success dialog will be presented when the operation completes. Inactivate when User Smart Card is not in possession of Operator In order to inactivate a smart card where the smart card is not in the possession of the operator, click the Search button to select the user. It is possible to search for a user by the identifier for the user if known or by the CSN of the card. Select the user and click Ok. Click the Inactive oval to select the operation to be performed. Click the Execute button to start the operation. Enter the operator passcode to proceed when prompted. A success dialog will be presented when the operation completes. Activate Smart Card A user smart card status changes to Active when the Activate smart card option is performed. In this workflow the S-Series application will unblock access to the registered user smart card administration key i.e. it will be possible to unblock the user smart card should it become blocked. The smart card can either be connected to the system or disconnected from the system to perform this task. The activate card template that is configured for activate will be set during this workflow. Activate when User Smart Card in possession of Operator If the user smart card that is to be activated is in possession of the operator, attach the user smart card and click the Active oval to select the operation to be performed. You will notice that the S-Series automatically determines the user ID. Click the Execute button if only one smart card is to be activated or click the Batch button if more than one smart card is to be activated. Enter the operator passcode to proceed when prompted. A success dialog will be presented when the operation completes. Activate when User Smart Card is not in possession of Operator In order to activate a smart card where the smart card is not in the possession of the operator, click the Search button to select the user. It is possible to search for a user by the identifier for the user if known or by the CSN of the card. Select the user and click Ok. Click the Active oval to select the operation to be performed. Click the Execute button to start the operation. Enter the operator passcode to proceed when prompted. A success dialog will be presented when the operation completes. vsec:cms versasec.com 225(338)

226 Lock Smart Card A user smart card status changes to Locked when the Lock smart card option is performed. In this workflow, the registered user smart card will be blocked. The smart card needs to be connected to the system to perform this task. The lock card template that is configured for lock will be set during this workflow. Attach the user smart card and click the Locked oval. Click the Execute button if only one smart card is to be locked or the Batch button if more than one smart card is to be locked. Enter the operator passcode to proceed when prompted. A success dialog will be presented when the operation completes. Unlock Smart Card A user smart card status changes to Issued when the Unlock smart card option is performed. This workflow will result in the registered user smart card being unlocked and the smart card status changing to Issued. The smart card needs to be connected to the system to perform this task. Click the Issued oval process and click the Execute button if only one smart card is to be unlocked or the Batch button if more than one smart card is to be unlocked at a time, which allows for a streamlined flow. The unlock card template that is configured for unlock will be set during this workflow. Attach the user smart card and click the Issued oval. Click the Execute button if only one smart card is to be unlocked or the Batch button if more than one smart card is to be unlocked. Enter the operator passcode to proceed. A success dialog will be presented when the operation completes. Revoke Smart Card A user smart card status changes to Revoked when the Revoke smart card option is performed. This workflow will result in the certificate(s) on the smart card being revoked by the S-Series application sending a revocation notification to the CA. The smart card can either be connected to the system or disconnected from the system to perform this task. The revoke card template that is configured for revoke will be set at this process. Revoke when User Smart Card is in possession of Operator If the user smart card that is to be revoked is in possession of the operator, attach the user smart card and click the Revoke oval to select the operation to be performed. You will notice that the S- Series automatically determines the user ID. Click the Execute button to start the flow. Enter the operator passcode to proceed. Select a revocation reason from the available list in the Revocation reason drop down list and add a more descriptive comment in the text field if required. A success dialog will be presented when the operation completes. Important: If a MS CA is used, any Operator who is attempting to revoke a managed user s smart card that contains certificate(s) using the S-Series console will need to have Issue and Manage Certificates permission on the CA to perform this operation. That means the Windows account that the Operator logged on with will need to have these permissions enabled on the CA. For example, if the Operator is using the Windows account Bob A. Smith as in example below this user will need to have the permission set as below. vsec:cms versasec.com 226(338)

227 Otherwise the certificate revocation will be put in a queue on the S-Series and will only be revoked when an Operator who does have these permissions logs on and revokes the certificate(s). Revoke when User Smart Card is not in possession of Operator In order to revoke a smart card where the smart card is not in the possession of the operator, click the Search button to select the user. It is possible to search for a user by the identifier for the user if known or by the CSN of the card. Select the user and click OK. Click the Execute button to start the revocation flow. Enter the operator passcode to proceed. Select a revocation reason from the available list in the Revocation reason drop down list and add a more descriptive comment in the text field if required. A success dialog will be presented when the operation completes. Important: If a MS CA is used, any Operator who is attempting to revoke a managed user s smart card that contains certificate(s) using the S-Series console will need to have Issue and Manage Certificates permission on the CA to perform this operation. That means the Windows account that the Operator logged on with will need to have these permissions enabled on the CA. For example, if the Operator is using the Windows account Bob A. Smith as in example below this user will need to have the permission set as below. vsec:cms versasec.com 227(338)

228 Otherwise the certificate revocation will be put in a queue on the S-Series and will only be revoked when an Operator who does have these permissions logs on and revokes the certificate(s). Retire Smart Card A user smart card status changes to Retired when the Retire smart card option is performed. From this workflow the smart card template set to the registered user smart card will be removed and the PIN(s) will be blocked. Also, it will allow user smart cards to be re-used. The smart card needs to be connected to the system to perform this task. The retire card template that is configured for retire will be set at this process. Attach the user smart card and click the Retire oval. Click the Execute button if only one smart card is to be retired or the Batch button if more than one smart card is to be retired. Enter the operator passcode to proceed. A success dialog will be presented when the operation completes. Delete Smart Card A user smart card status changes to Deleted when the Delete smart card option is performed. This workflow will result in the smart card being deleted from the S-Series application database with any transaction logs remaining intact. The number of licensed smart cards allowed to be managed by the S-Series application will be decreased by one. The deleted smart cards cannot be registered again with the S-Series and it will not be possible to perform any administration operations with a deleted smart card. The smart card can either be connected to the system or disconnected from the system to perform this task. Delete when User Smart Card is in possession of Operator Attach the user smart card and click the Delete oval. Click the Execute button to start the flow. A warning dialog will appear to ensure that the operator fully understands the consequences if this operation is performed. vsec:cms versasec.com 228(338)

229 Enter the operator passcode to proceed. If the smart card certificate needs to be revoked, select a revocation reason from the available list in the Revocation reason drop down list and add a more descriptive comment in the text field if required. A success dialog will be presented when the operation completes. Delete when User Smart Card is not in possession of Operator In order to delete a smart card where the smart card is not in the possession of the operator, click the Search button to select the user. It is possible to search for a user by the identifier for the user if known or by the CSN of the card. Select the user and click Ok. Click the Execute button to start the flow. A warning dialog will appear to ensure that the operator fully understands the consequences if this operation is performed. Enter the operator passcode to proceed. If the smart card certificate needs to be revoked, select a revocation reason from the available list in the Revocation reason drop down list and add a more descriptive comment in the text field if required. A success dialog will be presented when the operation completes. Unregister Smart Card In order to unregister a smart card, simply attach an already registered smart card to the system and click the Unregister oval process. The unregister workflow will reset the administration key of the smart card to its default smart card manufacturer administration key value. It will only be possible to unregister smart cards whose card status is in Registered or Retired states. The smart card needs to be connected to the system to perform this task. Attach the user smart card and click the Unregistered oval. Click the Execute button if only one smart card is to be unregistered or the Batch button if more than one smart card is to be unregistered. Enter the operator passcode to proceed. A success dialog will be presented when the operation completes. vsec:cms versasec.com 229(338)

230 Upgrade Licenses It is possible to upgrade the S-Series application license by browsing to Options License. From this page it will be possible to upgrade user licenses. Note: An operator will consume one user license. If user licenses are to be upgraded (increased) click the Get Challenge button to generate a challenge and click the Copy button to copy this value to the PC clipboard. Paste this value to a text file and send this to your vendor that provided the S-Series. The vendor can then generate a new license key, which should be entered into the Upgrade field and click the Upgrade button to complete the license upgrade. Note: It is possible to have up to 10 concurrent license requests that can be sent to the vendor. For example, if a request for 10 new licenses is sent to a vendor and in the time while waiting for the vendor to issue a new license key it was determined that a further 5 licenses were required, a new request could be sent for an additional 5 licenses. When the response is returned simply apply the new license keys. vsec:cms versasec.com 230(338)

231 Generate New Master Key It may be necessary to change the S-Series application master key. For example, the master key may be compromised resulting in the need to change the current master key. To change the master key enter a short description why the master key needed to be changed in the Comment field and click the Generate New Master Key button to begin the process. Note: If an HSM is used please refer to the section below for details on using an HSM. Important: It is important to remember that any new user smart card administration key will be diversified from the newly generated master key. Any user smart card administration key diversified from the old administration key of the S-Series application will remain operable. However, it is recommended to re-register those user cards issued from the old administration key of the S-Series. This will update the user s smart card administration key so that it is diversified from the new master key. vsec:cms versasec.com 231(338)

232 Diagnostic Support It is possible to enable diagnostic support for the S-Series. This will allow operators to provide trace logging for Versasec s engineers if an issue is encountered with the S-Series. To enable a trace log go to Help Diagnostic menu option. The System Info section provides details about the S-Series system. From the Trace section it is possible to configure the trace logging required to troubleshoot any issue encountered with the S-Series. From Validity select the period for which the trace logging should be enabled. There are 3 options available here: This session only: if this option is selected the S-Series will begin the trace from the moment that the Start trace button is clicked and the trace will finish once the operator closes the current S-Series session or clicks the Stop trace button. This session and next startup: if this option is selected the trace will begin from the moment that the Start trace button is clicked. If the current S-Series session is closed, the memory trace will be automatically started on the next start-up of the S-Series. Every session: if this option is selected the trace will begin from the moment that the Start trace button is clicked. The memory trace logging will be enabled for all subsequent S-Series sessions. From Max size it is possible to configure the size allowed for the memory trace log. Click the Start trace button to begin the trace. Click the Save button to save the memory trace log to a file. It is possible to encrypt the contents of the file if required as shown from the dialog below. vsec:cms versasec.com 232(338)

233 Click the Upload button to automatically upload the trace log to Versasec s support site. A dialog will appear with a ticket number that should be written down and used when corresponding with a Versasec support engineer. A connection to the internet will be required for this feature. Note: The memory trace data uploaded will be encrypted. Once the Start trace button is clicked the trace will be recorded. The button will change to Stop trace at this time. Click the Stop trace to terminate the trace. vsec:cms versasec.com 233(338)

234 Upgrade S-Series This section will describe the procedure to upgrade the S-Series from earlier versions. If performing an upgrade it is necessary to perform the upgrade on the server and any client where the operator console application is installed. Important: On the server it is recommended to make a backup copy of the current installed version of the S-Series before performing the upgrade. Copy the folder that the current version is installed in. For example, if the current version is installed in C:\Program Files (x86)\versatile Security\vSEC_CMS T-Series OR C:\Program Files (x86)\versasec\vsec_cms S-Series stop the S-Series Windows service (named vsec:cms Service) and make a backup copy of this folder on your system. It will be necessary to change the permissions on the dat folder, which is located in the root of the current installed version, to allow the current logged on Windows user access to this folder. 1. Download the latest S-Series installer as provided from your vendor 2. Stop the vsec:cms Service on the server; 3. Start the installer on the server where the current version resides; 4. Click I Agree to proceed; 5. The installer will determine that a version currently resides on the server and will prompt you to perform an update. Click the Update button to perform the upgrade; 6. On completion of the upgrade click Close. You can now use the upgraded S-Series to perform operations as necessary. Important: It is required to log on once through the RDP interface for ALL operator cards which currently are issued with 3.x. This is required to add an authentication key to the S-Series for these operator cards which is required to use the new operator console SOAP interface. It will be necessary to stop the Windows vsec:cms Operator Console Service to perform this task. Once the authentication key is added to the system it will be possible to use the operator console service to log onto the S-Series operator console using those operator cards. vsec:cms versasec.com 234(338)

235 Migrate T-Series to S-Series It is possible to migrate from the T-Series to the S-Series. Follow the steps below to perform the migration: Note: For the migration it is required to have the T-Series available from the server where the S- Series is installed if connecting to the server where the S-Series is installed is via RDP. Many applications are available that allow the sharing of a locally connected USB devices to Windows servers. The device drivers for the T-Series will need to be installed on the server. It will be necessary to receive an S-Series System Owner operator token from your supplier. Install the S-Series on the server where it will run as described in the section above. Important: Do not initialize the S-Series at this time. Attach the T-Series to the server where the S-Series was installed and launch the S- Series application. Important: Make sure that the T-Series application is not running in the system tray. A dialog similar to below will be presented. Enter the T-Series token owner passcode and the backup database passcode and attach the S-Series System Owner operator token. Click Ok to proceed. The migration will now commence. After the migration completes a dialog similar to below will be presented vsec:cms versasec.com 235(338)

236 Now the initialization of the S-Series System Owner operator token will begin. The System Owner operator will need to set a new administration key on the smart card token. If the smart card token administration key value is not the default factory value of 48 hexadecimal zeroes (i.e. the administration key has the value of hex: ) then this operation will fail. This key will be required later if it is necessary to unblock the operator smart card token. It is strongly recommended to store the key in a safe, secure location. The key must be 24 bytes long. The key can be entered as a 24 character text string (if the hexadecimal option is disabled) or as a hexadecimal string (24*2 which is 48 hexadecimal characters). It is also possible to generate a random key value by clicking on the Random button. Before clicking OK you will be forced to click the Copy button. This will copy the key information to the system clipboard from where the key value can be pasted to a text editor to print out and then save it to a secure location for later use. The next step forces the operator to set a passcode on the operator smart card token. This passcode will be required later for each operation performed with the S-Series application. This completes the flow. The System Owner will now be prompted to log onto the application. Batch Preview Print Flow This section will describe how to perform a print preview for a batch issuance job. This will allow an operator to validate that all the user data is available that needs to be printed onto the smart card during issuance before actually issuing and printing the smart card. Step 1 Create Batch File Using a text editor, such as Notepad, add the full distinguished name of the users from Active Directory (AD) that will be batch previewed. For example, if it is required to batch preview 3 employee cards for the employees (example employees) John Doe, Tom Barry and Sally Murphy, write their full distinguished name as below to a text editor. CN=John Doe,OU=Corp,OU=Users,OU=Corporate,DC=example,DC=local CN=Tom Barry,OU=Corp,OU=Users,OU=Corporate,DC=example,DC=local CN=Sally Murphy,OU=Corp,OU=Users,OU=Corporate,DC=example,DC=local Save the file to a location on the host. For example save the file as batch_job_1.txt to location C:\my_batch_jobs on the host C drive. Note: It is possible to enter comments and/or notes into the batch text file by starting the comment line with the # character. vsec:cms versasec.com 236(338)

237 Important: If the distinguished name of the user is not correct then it will not be possible to issue the card for the user. MAKE SURE THAT THE DISTINGUISHED NAME IS CORRECT FOR EACH USER. Step 2 Place Smart Card in Printer Place blank plain smart card(s) into the printer feeder. Step 3 Insert Smart Card From the S-Series administration console navigate to the Lifecycle page. Make sure that the smart card printer reader is selected from the Use the smart card inserted in drop down field. Click the Insert button to feed in the smart card into the smart card printer. When the smart card is fed into the printer click the Issued oval and select the smart card template that will be applied to the particular batch preview job from the Select card template drop down list. Step 4 Start Batch Job Click the Batch button to start the batch job. Step 5 Enter Operator Passcode On clicking the Batch button it will be necessary to enter the operator passcode. Step 6 Select Batch File On entering the operator passcode a selection dialog will be presented. Enable the Take from input file radio button and click the Browse button. Select the location where the batch file is located and click the Open button. On selecting the batch file the dialog will show a short summary. In the Options section select Run until card feeder is empty if it is required to only run the batch job until all cards in the feeder are consumed regardless of the number of records in the batch file. Alternatively, enter the maximum number of cards that should be processed in the Maximum cards to process field. Enable the Preview before start button to ensure that the print preview dialog will be displayed. Click the Start button to start the batch flow. Step 7 Batch Preview Flow Now the S-Series will begin to generate the batch preview for the users in the batch file. The application will display information about the process. Depending on the number of users in the batch file the batch preview process can take some time. Step 8 Batch Preview Dialog Once the batch file has been processed a summary dialog will be displayed. From here it is possible to preview all of the cards that will be printed. Select a record from the table to view how the card would look if it were to be printed. Click the Result button to view a summary of the operations that would be performed on the card if it had been an actual issuance. In the Result column of the table it will be indicated if the preview operation was successful or failed. For a failed operation select the entry and click the Result button to determine why the operation failed. Use the check box beside each record to disable an actual card issuance for the selected record, for example, a record may have resulted in failing therefore it would not be required to issue this record at this time. Click the Continue button to allow the S-Series to continue with actually issuing and printing the smart card. Click the Close button to close the preview dialog and end the flow. vsec:cms versasec.com 237(338)

238 PKCS12 File as Certificate Connection This section will provide an example on how to configure the S-Series to use PKCS12 files to be imported during the smart card issuance process. The first step is to setup a CA connection. From the Options Connections click the Configure button. Click the Add button. Enter a template name and select PKCS12 from the drop down list. Click the Get button to select a PKCS12 file to allow the S-Series to automatically detect the CA issuer DN. Browse to the location of the PKCS12 file and enter the password for the PKCS12 file. Click the Get button to select a default location that the S-Series will search for PKCS12 files during the issuance process. Enter a passphrase for PKCS12 files if a default passphrase is used for all PKCS12 files that are to be imported during the issuance when the S-Series is configured to use a PKCS12 certificate database already configured (see the section above for details). The next steps are to configure a card template from Templates Card Templates. For the Issue Card section in the enroll certificates section select the PKCS12 connection template already added above. A P12 Settings button will appear when the PKCS12 connection is used for issuing the certificates. Click the P12 Settings button to configure additional settings. Enable the Allow manually adding new containers checkbox if it is to be allowed to manually import a PKCS12 certificate into a container that is not already assigned to be used during the issuance process. Enable the Allow empty containers checkbox if it is allowed to issue the smart card even if there is no PKCS12 file imported during the issuance flow. Save the template and close. The final step is to issue the smart card. From the Lifecycle page issue the smart card as normal. At the Import PKCS12 Files dialog select the container that the PKCS12 file will be imported into. From the Status column you can see which containers have been assigned. This will be Empty until a PKCS12 file is assigned. Additionally the role DN for the container will be already assigned based on what the selected user DN who the smart card is to be issued to. The details on the certificate template that the PKCS12 file will be connected to are also displayed. Select a container and click the Edit button to add the PKCS12 file that is to be imported. Once all containers are assigned click the Ok button to complete the issuance. vsec:cms versasec.com 238(338)

239 Manage Virtual Smart Cards The concept of Virtual Smart Cards (VSC) was introduced by Microsoft in Windows 8. This technology allows TPM chips which are embedded into a PC to be used as VSC as an option for strong authentication. Using the S-Series it is possible to create and manage VSC. It is possible to use Microsoft s built in support for VSC in Windows 8 and above (which uses Microsoft s tpmvscmgr) or you can use Versasec s vsec:cms Virtual Smart Card (vsec:cms VSC) product. The main difference between the two different approaches is that vsec:cms VSC is supported on Windows 7 and above whereas Microsoft only support Windows 8 and above. Important: It will be necessary to have a TPM chip available on your computer and enabled in the system BIOS. For information on using TPM chips please consult your computer hardware manual. Important: If vsec:cms VSC is used then TPM version 1.2 is currently supported. If a device has a TPM 2.0 then it will be necessary to use Microsoft s implementation. Note: The management of PUC is only supported when using vsec:cms VSC. For the creation and issuance of VSC it will be necessary to have the vsec:cms User Self- Service (USS) application installed on the device where the VSC is to be used. Important: If you use Microsoft built in support for VSC then you will need to have local administration right on the client device when creating and issuing the VSC using the USS. If you use Versasec s vsec:cms VSC then it will not be necessary to have local administration rights. Additionally, if you use the RSDM (see here for details on RSDM) functionality in conjunction with using the Microsoft built in support for VSC then you will not require local administration rights. If you are using the vsec:cms VSC it will be necessary to enable support for this. From Options Virtual Smart Card enable the Support for vsec:cms Virtual Smart Card check box. It will be necessary to generate serial numbers for the VSC created. You can define the prefix and suffix you require and the 15 digits identifier that will be auto generated during card creation can either be a unique random number or an incremental value. Click Apply to enable this support and click Test to get a view of what the serial numbers would look like once created. Refer to the vsec CMS S-Series Use Cases document for instructions on how to setup and use the S-Series when creating and managing VSC. vsec:cms versasec.com 239(338)

240 Batch Issuance It is possible to issue smart cards in batch mode from a preconfigured batch file which removes the manual step where the operator has to select the user that the smart card is to be assigned to from the user directory. Batch issuance is ideal for work flows where the S-Series is connected to a smart card printer which has smart card feeder capabilities. Alternatively it is possible to connect multiple smart card readers to the issuing work station using for example a USB hub. When configured, an operator can start the batch job removing any requirement for manual intervention of the operator during the flow. Follow the steps below to configure the S-Series to perform batch issuance from a preconfigured batch file. 1. Create a batch file, using Notepad for example, and save the file as a text file. For a setup where a MS CA is used the file needs to contain the full distinguished name of the users that are to be issued. For a setup where an Entrust CA is used with reference and authorization codes then the codes will need to be saved in a text file. Below is an example of the format that the entries should take in the batch file. It is possible to add comments to the file by preceding them by the # character. Important: The file needs to be saved as UTF-8 encoding format. From Notepad, for example, it is possible to specify the encoding format that the file will be saved as. # The full DN of users that will be batch issued for MS CA CN=Alice Burke,OU=CMS Users,DC=versasec,DC=com CN=Bob Smith,OU=CMS Users,DC=versasec,DC=com # The Reference code and authorization for Entrust CA Reference number: ,Authorization code: RMIM-74YE-BWSZ Reference number: ,Authorization code: D6IJ-8PY8-OXPK 2. Configure a smart card template as described above. 3. From the Lifecycle page and with the first user smart card that is to be issued attached, click the Issued oval and select the card template that was configured in the previous step. Click the Batch button to start the issuance flow. 4. From the Batch Issuance dialog a number of options are available. Select the Select manually radio button if it is required to manually select the user from the directory during the issuance process or select the Take from input file and browse to location of the input file as described in step 1 above. A summary of the number of records that will be processed will be displayed in the bottom window of the dialog. 5. If the S-Series is configured to connect to and print to a smart card printer then batch issuance will complete without any intervention required by the operator once the catch job is started. If the S-Series is configured to select users manually during the issuance then when the first card completes you will be prompted to remove the smart card and attach the second card and so on until all entries in the batch file have been processed. When the batch process completes a short summary dialog will appear. Note: it is possible to stop the batch process if required. Click the Stop button (see dialog below) from the dialog that appears during the transition from one issued card to a new card that is to be issued. vsec:cms versasec.com 240(338)

241 If the batch process is terminated before completing by clicking the Stop button, the S-Series will create a file with the records that have not been completed. This file will be created in the logged on users home directory. For example, if the operator is logged in as administrator then the file would be created in this location on Windows 2008 R2 C:\Users\Administratorl\AppData\Roaming\Versasec\vSEC_CMS T-Series\id_data The file will be created as Issue_id_ txt, where Issue_id is the original file used as created in step 1 above and is a timestamp of when the file was created. It is possible to complete these records at a future stage if required. From the Lifecycle page and with a user smart card that is to be issued attached, click the Issued oval and select the card template. Click the Batch button to start the issuance flow. Select the Take from pending batch radio button and select the pending file and click Ok to proceed. If the batch process terminated for some unexpected reason, the S-Series will create a file called Issue_id_ _failed.txt, where Issue_id is the original file used as created in step 1 above and is a timestamp of when the file was created. It is possible to complete these records at a future stage if required. From the Lifecycle page and with a user smart card that is to be issued attached, click the Issued oval and select the card template. Click the Batch button to start the issuance flow. From the Batch Issuance dialog browse to the location of this file and select. This file will be created in the logged on users home directory. For example, if the operator is logged in as administrator then the file would be created in this location on Windows 2008 R2 C:\Users\Administrator\AppData\Roaming\Versasec\vSEC_CMS S-Series\id_data vsec:cms versasec.com 241(338)

242 S-Series Failover Setup The S-Series can be configured in a Microsoft (MS) Windows Server Failover Clustering environment to ensure high availability of the application. Prerequisites The following prerequisites are required: 1. Configured MS Windows Server Cluster with at least 1 additional shared storage; 2. S-Series is installed on each cluster node; 3. The S-Series dat folder, which is where the database file for the S-Series is located, is configured to point to the S-Series database file that is located on the shared storage; 4. S-Series Service should be running on one node. All other nodes where the S-Series is installed the service should be stopped. vsec:cms versasec.com 242(338)

243 High level Architecture The diagram below describes how the S-Series can be configured in an MS cluster environment to ensure high availability. The S-Series needs to be installed on each node (Node 1 and Node 2 below) with the S-Series database file stored on a shared storage. Sample Deployment This section will describe the steps to be carried out to deploy the S-Series into a MS clustered environment where two nodes are used. It will be expected that the MS clustered environment is already setup and functional. This document does not provide the steps to setup an MS cluster environment. Setup Steps 1. Install the S-Series on each of the nodes; 2. Stop the S-Series service (vsec:cms Service) on each node; 3. In the shared storage location create a folder called dat which will be used to store the database for the S-Series; 4. Copy the files of the S-Series dat folder into the dat folder created in step 3 above. It will be necessary to change the permissions on the dat folder of the S-Series in order to access this folder; 5. Once the files are copied into the dat folder on the shared storage, delete the dat folder on each of the S-Series installations on each of the nodes; 6. Configure the S-Series database file on each node to point to the shared storage. In order to point each S-Series dat folder to the shared storage a symbolic link will needs to be configured. For example, if the shared storage resides at the location \\shared_storage then run the following command from a command prompt to configure the symbolic link: C:\>mklink /d "C:\Program Files (x86)\versasec\vsec_cms S-Series\dat" "\\shared_storage\dat" 7. Start the S-Series service on one of the nodes. 8. From the Failover Cluster Manager right click your cluster and select Configure a Service or Application. Follow the wizard instructions and from the Select Service or Application dialog select Generic Service. Select the vsec:cms Service and follow the wizard instructions to complete. 9. If you are using the Operator console service then it will be necessary to add this service to the cluster. From the Failover Cluster Manager go to the node that is active and under Service and Applications right click the service that you added in step 8 above and select Add a resource. Select Generic Service and select vsec:cms Operator Console Service. Follow the wizard to complete the setup. vsec:cms versasec.com 243(338)

244 10. If you are using the User Self-Service then it will be necessary to add this service to the cluster. From the Failover Cluster Manager go to the node that is active and under Service and Applications right click the service that you added in step 8 above and select Add a resource. Select Generic Service and select vsec:cms User Self Service. Follow the wizard to complete the setup. 11. This completes the setup. Important: If the S-Series is already operational and is being moved into a clustered failover setup then it will be necessary to copy the contents of the dat folder of the operational S-Series to the location of dat folder on the shared storage. Important: The Windows service account that the vsec:cms service uses needs to have permissions to read/write to the dat folder on the shared storage. Failover Cluster and User Self-Service In setups where user self-service is configured it will be necessary to have an operator configured that will perform administration key operations for user s using the self-service application. These operators can either be in the form of a token or an encrypted key store. If the operator is in the form of a token then an operator must logon to S-Series to re-activate User Self-Service after the instance has moved from one node to another. If the operator is in the form of an encrypted key store then the failover mechanism will be performed without any requirement for an operator to log on and re-activate the User Self- Service. Therefore in this setup the failover will occur seamlessly. Important: It will be necessary to fully configure the user self-service connection on the S-Series on both nodes. vsec:cms versasec.com 244(338)

245 Migrate S-Series This section describes the steps to migrate an existing installation of S-Series from one server to a new server. Procedure on Current Server This section describes the steps which need to be performed on the server with the existing running S-Series. As a first step it is required to stop all work on the S-Series system, i.e. logout all operators and shutdown the S-Series service from windows service control manager. Next step is to copy the [DAT] folder to the new server. Using Windows explorer, go to the folder where S-Series has been installed. If the default install folder was used it will be c:\program files\versasec\ on 32 bit versions of Windows and c:\program files (x86)\versasec\ on 64 bit versions. A copy of the dat folder needs to be taken and to do this the properties of the folder must be changed. The owner of the dat folder is set to SYSTEM and to be able to copy the dat folder the ownership must be changed from SYSTEM to a different user account that has the rights to copy the folder. Open the dat folder and the permissions dialog will be displayed. vsec:cms versasec.com 245(338)

246 Click security tab and click on the Continue button. Select a listed user account or add one by selecting Other user or groups. Then click Apply. Now that you have changed ownership properties on the dat folder it can be copied to be used on the new system. Procedure on New Server On the new server you will first need to install the S-Series. After the installation, the S-Series service is started automatically. The service must be stopped (using windows service control manager) to be able to replace the database files in dat folder. Using Windows explorer go to the folder where the S-Series was installed. If the default install folder was used it will be c:\program files\versasec\ on 32 bit versions of Windows and c:\program files (x86)\versasec\ on 64 bit versions. Rename the dat folder so that it is no longer called dat. The properties on the folder will not allow the name to be changed therefore follow the procedure performed in the previous section to change ownership of the folder. If the dialog here is displayed then using the services in control panel, stop the service called vsec:cms Service then rename the dat folder and then start the vsec:cms Service. vsec:cms versasec.com 246(338)

247 Use the dat folder that was taken from the first system and copy it into the folder. Now start the S-Series service (from windows service control manager) to complete the migration. vsec:cms versasec.com 247(338)

248 Setup S-Series as Remote Application This section will outline the setup procedure for creating an S-Series as a MS Windows remote application on a Windows 2008 Server. Prerequisites 1. The RD Session Host role service must be installed (this is the basic "terminal server" system role); 2. The application that is to be hosted by the RD Session Host server must be installed on the RD Session Host system. In this case the S-Series application. Create Remote Distribution File Click Start Administrative Tools Remote Desktop Services RemoteApp Manager. In the Actions pane, click Add RemoteApp Programs. Click Next and select Start vsec_cms and click Next. Click Finish. Right click the vsec:cms from RemoteApp Programs and select Create.rdp File. Click Next and select the location where the.rdp file should be saved to. Click Finish to complete. vsec:cms versasec.com 248(338)

249 Restore S-Series For the S-Series, in the unlikely event that the application needs to be reinstalled it is possible to restore the application such that the application will be restored to its previous state before the reinstall. Follow the steps below to restore the S-Series application. Important: Before starting a restore it is important that you have a backup database file available and that you have knowledge of the backup database passcode. Step 1: Perform an uninstall of S-Series Follow the uninstall instructions in this guide to perform a clean uninstall. Step 2: Reinstall the S-Series Follow the install instruction in this guide to perform a clean install. Step 3: Restore the S-Series application. With a fully featured operator card attached to the system that has a role that includes System Administrator, start the S-Series. The operator will be prompted to browse to the location where the backup database file is located. The file name for the backed up database file should be OperatorTool_Audit.db.bak. On selecting the database file, enter the operator passcode and the backup database file passcode as was created during the initialization phase of the original installation. Click the Ok button to complete the restore. vsec:cms versasec.com 249(338)

250 Create S-Series Operator Cards This section will describe the steps required to create S-Series operator cards. This process will result in an operator card applet being written to the smart card that will allow the smart card to be used as an operator smart card. Important: For the operator card(s) that you will create the operator card(s) need to be Gemalto IDPrime.NET cards. Perquisite The operator needs to have System Administrator role in order to carry out this process. Create Operator Card 1. Attach the operator smart card to the host where the S-Series was installed on; 2. Go to Start All Programs Versasec vsec:cms S-Series tools and start the application Operator Card Tool (OCT); 3. Click the button Copy System Identification Information as indicated below. 4. The OCT will save the identification information into the host system clipboard. Copy this information and send it to your provider; 5. The information will look similar to below: <authkeys> <tokencsn> cb3163a05ffff</tokencsn> <tokenid>100000</tokenid> <key><cont>vsec-sys-key</cont><spec>1</spec><pub> a4000.</pub></key> </authkeys><key><cont>9c8927ae-ae77-4bc3-bbf a26c60</cont><spec>2</spec><pub> </pub></key> </authkeys> 6. Versasec will then update their issuer server with this information and respond with a notification to your provider when this is completed. 7. When the notification has been received from your provider start the OCT with the operator card attached. Follow the steps below to complete the process. Important: To complete the process the host on which the OCT is running needs to have an internet connection. If the host does not have an internet connection it is possible to copy the OCT tool to a host that does have an internet connection. Simply copy the file vseccms_oct.exe from the install folder of the S-Series (typically this would be C:\Program Files (x86)\versasec\vsec_cms S-Series\tools) and start the OCT. In this case it will not be possible to create operator cards that are already issued by the vsec:cms versasec.com 250(338)

251 CMS as the OCT has no way of knowing what the administration key value is. It will only be possible to issue operator cards that have the default factory administration key value (0000.). If it is required to issue operator cards to cards that are already issued to the CMS then it will be necessary to unregister the cards first from the CMS. Step 1. On starting the OCT application with the operator card attached you should see dialog similar to this. Step 2. Attach a second smart card that will be used as an operator card. If the card attached is a blank smart card you will see similar dialog to this. Jump to Step 4 below. Step 3. Attach a second smart card that will be used as an operator card. If the card attached is a smart card that is already managed by S-Series and the OCT is running on the same host on which the S-Series is installed, you will see similar dialog to this. Jump to Step 5 below. vsec:cms versasec.com 251(338)

252 Step 4. If the administration key value is not the default value, and you have knowledge of the administration key enter it into the Smart card admin key field. Click the Details button to get further details on the smart card that is to be issued as an operator card. Enter the operator token PIN into the field provided and click the Create Card button to begin the process. If it is required to remove the operator card applet that is on the card click the Clean Card button. This will complete the flow. It will now be necessary to register and issue the card with the S- Series. Step 5. Click the Details button to get further details on the smart card that is to be set as an operator card. Enter the operator token PIN into the field provided and click the Create Card button to begin the process. If it is required to remove the operator card applet that is on the card click the Clean Card button. This will complete the flow. vsec:cms versasec.com 252(338)

253 Issue S-Series Operator Card(s) In order to add operators to the S-Series application, the following procedure should be followed. Note: An operator will need to be issued with a smart card token in order to be able to perform operations with the S-Series. See the section above for details on what options are available for configuring operator cards. Step 1: Configure the AD and CA Connections The first step is to configure connection to the AD and CA. See the sections in this document on AD and CA on how to configure these connections. Step 2: Configure the vsec:cms Operator Card Template Once the connections to AD and CA have been setup it will be necessary to edit the vsec:cms Operator card template. From the Template Card Templates page select the vsec:cms Operator card template and click the Edit button. From this page click the Edit link beside the Issue Card section in the Template Details section. In the User ID Options section ensure that the Assign user ID checkbox is enabled. From the drop down list select how the user assignment should be set. It should be set to connect to an AD from where the operator will be selected from. In the Enroll Certificate Options section ensure that the Enroll certificate(s) checkbox is enabled, if the operator will be issuing certificates. Click the Add button and add an enrollment agent template. This will ensure that during the issuance process an enrollment agent certificate will be issued to the operator smart card. Click Ok when complete to save the configuration for this template. Step 3: Issue the vsec:cms Operator Card Once the card template configuration is complete the smart card token will need to be issued. From the Lifecycle page and with the operator card attached to the system, select the vsec:cms Operator card template from the Card type drop down list. Click the Issue button to start the issuance flow. Select the user who the operator smart card will be assigned to when prompted. Select the roles that this particular operator will be configured with when prompted. After successfully completing the issuance a success dialog with brief summary will be displayed. Step 4: Initiate the vsec:cms Operator Card When the operator card has been issued it will be necessary to initiate the card in order to be able to use the card. This means it will be necessary for the operator to perform a smart card PIN unblock procedure so that the operator can use the smart card. In order to initiate the operator smart card follow the same procedure as would be performed if unblocking a user smart card. vsec:cms versasec.com 253(338)

254 User Self-Service Overview Using the vsec:cms User Self-Service (USS) application it is possible for a user to issue a certificate to a smart card and unblock a smart card that is issued and managed by the S-Series. In order to perform these operations it will be necessary to configure a smart card template to support these feature in the S-Series and on the user s side it will be necessary to install the vsec:cms USS application. An overview of the architecture is provided in the diagram below. Important: USS is only supported in the S-Series. Important: It is required to have English installed as Region and Language settings on the host where the USS is to be installed. Important: Currently USS is limited to MS CA and IDnomic CA for certificate issuance and reissuance. Note: Self-service certificate update is currently not supported for smart cards issued with multiple roles. For self-service different workflow scenarios are configurable from the S-Series. 1. User can issue certificate(s) In this workflow the smart card user will be able to issue certificate(s) using the USS application. In the case of virtual smart cards it will be possible to create and issue certificates to devices that contain TPM devices and running Windows 8.0 or higher. 2. User unblock using domain credential authentication In this workflow the user needs to enter their Windows domain credential to authenticate before unblock of the smart card is allowed. 3. User unblock using self-service passphrase authentication vsec:cms versasec.com 254(338)

255 In this workflow the user needs to enter their self-service passphrase to authenticate before unblock of the smart card is allowed. It is similar to the PUC unblock workflow, but with different security considerations, i.e., the passphrase hash is stored on the server and the authentication is performed over the network, while using PUC the check is performed on the smart card and the PUC value is sent to the card over PC/SC. 4. Unblock using unblock code For these workflows the user needs to enter their unblock code at the time he wants to unblock a PIN. This unblock code will be sent to the S-Series to authorize the access to the administration key. In order to generate the unblock code several different workflows are possible. These are: a) User requests unblock code through self-service console: The user selects to request unblock code from the USS console. The request will be sent to the S-Series. The S-Series will check if all preconditions are fulfilled and if so, the S-Series will send the unblock code to the user through the mechanism configured. Once the user receives the unblock code it will be possible to unblock the smart card PIN. b) Operator issues unblock code: In this workflow the operator can request an unblock code for a user, for example, the user calls their helpdesk. Once the Operator has generated the code, two different workflows are possible: 1) Unblock code displayed to operator The unblock code will be displayed to the operator. The operator can then pass it over to the user, for example, over telephone or via instant messenger. 2) Code will be send to user directly In this workflow the operator will not see the unblock code. The unblock code will be sent directly to the user via or SMS. c) Approver issues unblock code: In this workflow someone needs to authorize the PIN unblock request for the user, typically the user s manager. The user starts the workflow by requesting an unblock code from the USS console. The S-Series will detect that an approval needs to be carried out, therefore instead of generating an unblock code and delivering it, an approval code will be generated and provided back to the user. The user will provide this approval code to a person who can approve the request. The approver then enters the code to find the request in the S-Series database. The approver will see the details about the request and approve it. Once the approval has been verified by the S-Series it will generate an unblock code and send it to the user. 5. Unblock using PUC In this workflow a PUC is generated during the smart card issuance and provided to the user. There is no requirement for an online connection to the S-Series to unblock the PIN. vsec:cms versasec.com 255(338)

256 Create Self-Service Template in S-Series In order to configure self-service support in the S-Series it is necessary to add a smart card template which is configured to support self-service. Follow the instructions in this section to configure a smart card template with self-service support. Before beginning this task some preliminary configurations need to be in place. Please ensure that the following instructions have been performed before configuring the S-Series for USS: Configuration of self-service service is complete; Configuration of USS operator service card is complete. From Templates Card Templates click Add or select an existing template and click Edit. In this example a new card template will be added to demonstrate the configuration. Click the Edit link beside General. Enter a template name and select the card type and comment if required. Configure the required settings and click the check box for Self-service using the following template and click the Manage button. Click the Add button. Enter a name for the template and configure the appropriate settings. See the detailed description below for the different configurations possible for self-service. From the Issue Card template page different configuration options will be available depending on the configuration requirements. If the smart card is to be issued by the operator before providing the card to the end user then select the Issue by Operator(s) radio button. Select the required configuration options as would be required for a typical smart card template. If the smart card is to be issued by the end user then select the Issue by User(s) radio button. Check the Automatically initiate cards after issuance check box if it is required to prompt the end user to set a smart card PIN on the card at the end of the smart card issuance flow. Click the Virtual SC button to configure specific settings that can be configured if the self-service application is to generate and issue a virtual smart card. Enable the Try to create a virtual smart card check box if it is required for the self-service application to create a virtual smart card on the device that is to be used by the self-service application. Enable the Stop issuance when fail to create a virtual smart card to configure the self-service application to stop the issuance process if it was not possible to create the virtual smart card. Click the Configure button in the User ID Options section to configure the specific user ID options. From the User ID Options section select Simple ID String if the user that the smart card token is to be issued to will be manually entered or select the user directory that the user will be present in. Note: If Simple ID String is used it will not be possible to automatically initiate the smart card token during the self-service issuance process as with this mechanism there is no way to validate that the user is a valid user in this case. Therefore the smart card token will be blocked and the user will need to go through some validation process to perform PIN unblock on the smart card token. Note: If Simple ID String is used it will not be possible to configure certificate enrollment as this is not supported. In the User Authentication Options section select the authentication method that will be allowed to authenticate the user during the issuance process. Currently it is possible to select either Windows domain credential or Workplace join certificate. If Windows domain credential is selected then the user will be prompted to enter their Windows domain and username along with their Windows password to authenticate during the smart card issuance flow. vsec:cms versasec.com 256(338)

257 If a Workplace join certificate is selected then an already installed workplace join certificate will need to be installed on client computer where the USS application is running. This certificate will be used to detect and authenticate the user during the issuance from the USS. A workplace join certificate will be detected by the USS application based on the issuer DN filter which contains MS-Organization-Access. The first certificate that the USS finds with this filter will be used. In the Permission Options section enable the Permission check enabled check box if it is required that the self-service issuance is approved. See the section below for further details on how to configure Windows for approval in AD environments. Select the appropriate Extended rights and click the Add button to add the approver(s) who can approve the user for self-service issuance. It is possible to test the configuration by selecting a user from the group created by clicking the Get button and selecting a user. Click the Check Permission button to validate the configuration. Configure Self-Service Template The configuration settings available for self-service are described in this section. Issuance Under the Issuance setting enable the Self-issuance checkbox if it is required to allow smart card users to issue their smart cards directly from the USS application. By enabling this setting the smart card user will be able to issue their smart card directly from the USS application thereby removing the need for the operator to manually issue the smart card for the user. Enable the Retire card enabled checkbox if it is required to allow the smart card user to retire the smart card through the USS thereby allowing the smart card to be issued again through the USS. This use case would typically be used in scenarios where a temporary card is issued for a user through USS and once the user returns with their primary card they can retire the temporary card thereby allowing the temporary card to be re-issued at a future time. User Authentication for PIN Unblock Under the User Authentication for PIN Unblock several configuration options are available. Enable the Use passphrase to authenticate user if it is required that the user who is performing the unblock operation from the User Self-Service application is required to enter a passphrase to authenticate during the unblock procedure. Click the Policy button to configure a passphrase policy that needs to be met when the user sets their passphrase. vsec:cms versasec.com 257(338)

258 By enabling the Adjacent positions allowed check box a passphrase which has repeated characters adjacent to one another will be allowed. Enter the number of allowed adjacent positions in the Allowed repetitions field. The value entered will set the number of times that a character can be repeated in adjacent positions. For example, if this value is set to 4 then 1111c1 and aaaa1a are allowed passphrase values and 11111c and aaaaa1 are not allowed passphrase values. Note: The value set here cannot exceed Max appearance value that is configured in the field described below. The Max appearance configures the passphrase policy to set the allowed number of appearances of a character in a passphrase but it is not possible to specify which character. For example, if the value for Max appearance is set to 2 then the passphrase value 0001 would not be allowed whereas the passphrase value 0011 would be allowed. The Max length of sequence is the number of times that a sequence of characters is allowed, for example 1,2,3,4,5,6...For example, if this parameter is set to 4 then 1234c5 and abcd1e are allowed passphrase values and 12345c and abcde1 are not allowed passphrase values. The Max repeated characters configure the passphrase policy to set the number of different characters that can be repeated at least once. For example, if this value is set to 1 this means one character can be repeated but it is not possible to specify which one. The Tries counter configures the passphrase policy to set the number of incorrect passphrase entry attempts a user can attempt before the flow will be terminated. The user will then need to request resetting of the passphrase. Enable the Character set restrictions check box in order to be able to configure specific character combinations to be used when setting a passphrase. If this check box is not enabled then all characters will be allowed to be used when setting a passphrase. If the Character set restrictions check box is enabled then it is possible to configure specific allowed characters when setting a passphrase. These can be set to either Allowed or Mandatory or both. If Alphabetic uppercase is enabled then the passphrase must contain an upper case character. If Alphabetic lowercase is enabled then the passphrase must contain a lower case character. If None alphabetic is enabled then the passphrase must contain a character that is neither numeric or alphabetic, for example, any of these characters would qualify in this case -!" $%^&*(). If None Ascii is enabled then the passphrase must contain a non-ascii character. The New passphrase must differ check box configures the passphrase policy, if enabled, to ensure that the new passphrase entered is not the same as the previous passphrase set. For Passphrase length, the Min configures the passphrase policy to set the minimum length that the passphrase needs to be when the user is setting their passphrase and the Max configures the vsec:cms versasec.com 258(338)

259 passphrase policy to set the allowed maximum length that the passphrase can be when the user is setting their passphrase. Enable the System generates passphrase at card issuance if the S-Series application should generate a passphrase for the user when issuing the user s smart card. Click the Deliver button to create an template that will be used to send the generated passphrase to the user at card issuance. See the section below for further details on how to create an template for sending the . Enable the User may change passphrase check box if the user is allowed to change their passphrase from the User Self-Service application. Add Passphrase Notification Template Click the Add button to add a template. Enter a template name and select the Outgoing Server from the drop down list. The server connection will need to be already configured from Options Connections . Click the Edit template button. Enter a From address and enter the variable name that should be used to retrieve the user from the user directory. Enter a CC and BCC if required. Enter an appropriate subject for the . For the body two options are available html or text. If HTML is selected it will be necessary to import a MHT file which contains the content of the body. MHT files can be created using MS Word for example. S-Series variable names can be used which will be replaced with actual data, for example the user s name can be retrieved from the user directory. Important: When adding variable placeholders to either MHTML or plain text the variable needs to be entered correctly i.e. the variables are case sensitive. If text is selected enter the appropriate message body and use S-Series variables to populate specific details such as the user s name for example. When editing text in this window to go to a new line hit Ctrl + Enter. Enable the Use windows credentials to authenticate user check box if it is required for the user to provide their Windows domain username and password as form of authentication during the smart card unblock work flow. PIN Unblock Codes Under PIN Unblock Codes several configuration options are available. User Request Unblock Code If configured a user whose smart card is issued and managed by the S-Series may request PIN unblock codes in order to unblock their smart card. vsec:cms versasec.com 259(338)

260 Enable the Enable checkbox to configure the S-Series to support this feature. Note: It is mandatory that this setting is enabled otherwise it will not be possible to create and save a self-service template. Enable the User may request unblock code via console if the user who the smart card is issued to is allowed to request unblock code from the USS. Enable the Approval check box if it is required that any request for an unblock code from a user requires approval before the code is provided to the user. Click the Configure button to configure the approval as would be set in a Windows AD environment. See the section on configuring approval below for further details. Note: If Approval is enabled it will be necessary to enable and configure the Deliver option described below otherwise it will not be possible to Save the template configuration. Enable the Force authentication button if it is required that the user needs to authenticate before they can proceed with an unblock request. Depending on what authentication mechanism is configured in the User Authentication for PIN Unblock the user will be prompted to present an authentication credential. Enable the Deliver check box if it is required to configure an or SMS template that can be used to send an or SMS to the user with the unblock code when they request an unblock code. Note: If the Approval and Deliver options are not enabled then the user will only need to enter their passphrase when performing a PIN unblock from the USS application. In this case the PIN unblock will occur in the background. This is the least secure configuration method possible. Add PIN Unblock Code Notification Template User Click the Add button to add a template. Enter a template name and select the from the drop down list. The server connection will need to be already configured from Options Connections . Click the Edit template button. Enter a From address and enter the variable name that should be used to retrieve the user from the user directory. Enter a CC and BCC if required. Enter an appropriate subject for the . For the body two options are available html or text. If HTML is selected it will be necessary to import a MHT file which contains the content of the body. MHT files can be created using MS Word for example. S-Series variable names can be used which will be replaced with actual data, for example the user s name can be retrieved from the user directory. If text is selected enter the appropriate message body and use S-Series variables to populate specific details such as the user s name for example. When editing text in this window to go to a new line hit Ctrl + Enter. Important: When adding variable placeholders to either MHTML or plain text the variable needs to be entered correctly i.e. the variables are case sensitive. vsec:cms versasec.com 260(338)

261 Add SMS PIN Unblock Code Notification Template User Click the Add button to add a template. Enter a template name and select the SMS from the drop down list. Click the Manage button and click Add to add an SMS provider. Note: Currently the SMS providers that can be used are TeleSign, Certificall, Clickatell, Tyntec and Dolphin. Also it is possible to configure a Generic HTTP SMS connector if the provider supports HTTP. Enter a template name and the Service address and Service mobile address fields will automatically be entered with the details for TeleSign. In the Credentials section enter the credentials as provided by TeleSign. Click Save to save and close the dialog. Then from the drop down list for SMS Provider select the template just created. For the other supported SMS providers (Certificall, Clickatell, Tyntec and Dolphin) the protocol used is SMS over HTTP as this is the protocol supported by these providers. If additional providers not listed here do support SMS over HTTP then the generic HTTP provider can be configured. Sample configurations have been pre-set for the providers supported. It is necessary to check with your provider to determine what parameters are required. For example, if you are using Clickatell as your provider then enter a template name and select Clickatell from the available SMS providers. Enter the service address and the protocol required. In the Parameters section pre-set parameters are already provided. The user, password and api_id need to be configured with your specific credentials. The to and text will be assigned to variables mapped to attributes as the phone number will need to be retrieved for the user typically from a user directory and the text needs to retrieved. Click the Edit SMS template button to create a SMS message template. Enter a phone number in the Phone number field. This would typically be a variable that is mapped to an attribute in the user directory. In the message window enter the message content that you wish to send. From the Variables drop down list select a variable that is required and click the Copy button to copy the variable value which can then be pasted into the message window. Click Ok to save the settings. Important: When adding variable placeholders to either MHTML or plain text the variable needs to be entered correctly i.e. the variables are case sensitive. vsec:cms versasec.com 261(338)

262 Operator Request Unblock Code A user whose smart card is blocked may request an unblock code in order to unblock the smart card. This would typically be conducted through a dedicated helpdesk service. Enable the Operator may generate unblock codes if it is to be allowed for operator s with the appropriate permissions to generate PIN unblock codes for user smart cards issued and managed by the S-Series. Enable the Show code checkbox if the PIN unblock code will be displayed to the operator when they request the PIN unblock code. The operator would then need to provide this code back to the user in order for them to perform the PIN unblock. Enable the Deliver check box if it is required to configure an template that can be used to send an to the user with the unblock code when the operator requests an unblock code. Enable the Deliver at issuance check box to configure the S-Series to send an of an unblock code that will be sent when the smart card is issued for the first time. Note: It is mandatory that at least one of the configuration options, User may request unblock code via console or Operator may generate unblock code, are enabled here otherwise it will not be possible to create and save a self-service template. Add PIN Unblock Code Notification Template Operator Click the Add button to add a template. Enter a template name and select the from the drop down list. The server connection will need to be already configured from Options Connections . Click the Edit template button. Enter a From address and enter the variable name that should be used to retrieve the user from the user directory. Enter a CC and BCC if required. Enter an appropriate subject for the . For the body two options are available html or text. If HTML is selected it will be necessary to import a MHT file which contains the content of the body. MHT files can be created using MS Word for example. S-Series variable names can be used which will be replaced with actual data, for example the user s name can be retrieved from the user directory. If text is selected enter the appropriate message body and use S-Series variables to populate specific details such as the user s name for example. When editing text in this window to go to a new line hit Ctrl + Enter. Important: When adding variable placeholders to either MHTML or plain text the variable needs to be entered correctly i.e. the variables are case sensitive. Add SMS PIN Unblock Code Notification Template Operator Click the Add button to add a template. Enter a template name and select the SMS from the drop down list. Click the Manage button and click Add to add an SMS provider. Note: Currently the SMS providers that can be used are TeleSign, Certificall, Clickatell, Tyntec and Dolphin. Also it is possible to configure a Generic HTTP SMS connector if the provider supports HTTP. vsec:cms versasec.com 262(338)

263 For the other supported SMS providers (Certificall, Clickatell, Tyntec and Dolphin) the protocol used is SMS over HTTP as this is the protocol supported by these providers. If additional providers not listed here do support SMS over HTTP then the generic HTTP provider can be configured. Sample configurations have been pre-set for the providers supported. It is necessary to check with your provider to determine what parameters are required. For example, if you are using Clickatell as your provider then enter a template name and select Clickatell from the available SMS providers. Enter the service address and the protocol required. In the Parameters section pre-set parameters are already provided. The user, password and api_id need to be configured with your specific credentials. The to and text will be assigned to variables mapped to attributes as the phone number will need to be retrieved for the user typically from a user directory and the text needs to retrieved. Enter a template name and the Service address and Service mobile address fields will automatically be entered with the details for TeleSign. In the Credentials section enter the credentials as provided by TeleSign. Click Save to save and close the dialog. Then from the drop down list for SMS Provider select the template just created. Click the Edit SMS template button to create a SMS message template. Enter a phone number in the Phone number field. This would typically be a variable that is mapped to an attribute in the user directory. In the message window enter the message content that you wish to send. From the Variables drop down list select a variable that is required and click the Copy button to copy the variable value which can then be pasted into the message window. Click Ok to save the settings. Important: When adding variable placeholders to either MHTML or plain text the variable needs to be entered correctly i.e. the variables are case sensitive. Configure Approval in AD Environment In this section guidelines on how to configure approval workflows in a Window AD environment are provided. Important: This is only a guideline and it is expected that a MS Windows server engineer with the appropriate knowledge and expertise would conduct this setup. vsec:cms versasec.com 263(338)

264 Users In the table below the test users in this example and their locations in terms of organizational units (OU) are listed. The OU help-desk, are supposed to be the users that are not allowed to get approval of admins for self-service tasks. In the OU called self-service are the users that are supposed to be allowed to perform self-service tasks which are approved by admins from the group Admins. Users OU = help-desk OU = self-service Group: Admins user0 user1 X user2 X admin0 admin1 X Permission Configuration The permission selected is the built in Windows permission Reset password. Any extended permission can be used which is configurable in the S-Series. Below are examples of permissions on OU=help-desk and for OU=self-service for the Admins group: Validating Permissions in AD You can check that the permissions are correctly configured by checking the Effective Permissions on the users in the user object for the Admin Group. vsec:cms versasec.com 264(338)

265 Validating Permission Using S-Series It is possible to validate permissions from the S-Series to ensure that the environment is configured correctly. When the S-Series is configured for approval as described above it is possible to validate the permissions configured. Select the Extended Rights configured from the available drop down list and enable Self approval not allowed if it is required that all unblock PIN requests require approval from another person, i.e. it will not be possible for a person to approve their own approval request. In the Test Permission section it is possible to test with actual users. For requester click the Get button to select a user who can request PIN unblock. For Approver click the Get button to select a user who can approve such a request and click Check Permission button. If the Windows server environment is configured correctly a success dialog will be presented as in the example here. The expected results with the test users and configuration from above shall be as described in the table below: Approver: admin0 Approver: admin1 vsec:cms versasec.com 265(338)

266 user0 Fail Fail user1 Fail Fail user2 Fail Success Step-by-Step AD Setup Example In this section an example will be provided. This is only an example for demonstration purposes. Configuring approval in an MS AD environment should be carried out by the appropriate IT personnel with expertise in this area. The example provided here is from an MS Windows 2008 R2 server. On the 2008 R2 server open the Active directory users and computer dialog and make sure that Advanced Features is selected from the View menu item. Add a group. In this example, right click the root domain and select New Group. Accept the default settings and click Ok. Right click the organization unit that contains the users who can request PIN unblock codes from the USS. In this example we have an organization unit named CMS Users. Select the Properties and select the Security tab. vsec:cms versasec.com 266(338)

267 Click Advanced button from the previous step and from the Permissions tab click the Add button. Enter the group CMS Approvers and click OK. In the Apply to drop down list select the Descendant User objects and for Permissions enable the Allow for Reset password and click OK. vsec:cms versasec.com 267(338)

268 Select a user who will be allowed to approve user PIN unblock requests. In this example we will use a user from the Users organization unit. Right click the user and select properties and then select the Member Of tab. Click the Add button. Add the group CMS Approvers and click Ok. Click Apply to complete. vsec:cms versasec.com 268(338)

269 From the S-Series it is possible to test the approval configuration. From the Extended Rights retrieved from the AD select the rights configured in earlier step, Reset Password in this example. Click the Get button to select Requester (a user) from organization unit CMS Users. Click the Get button to select an Approver from AD, as configured in earlier step. Click the Check Permission to ensure that the permissions are configured correctly. A success dialog will appear. This completes the setup on the server. vsec:cms versasec.com 269(338)

270 Installation of USS On client machines that will use the USS application it will be necessary to install the USS application. The USS application will need to be configured to connect to the S-Series server in order to perform self-service functions. The USS application uses TCP/IP as the communication protocol; therefore a URL will need to be configured on the USS application. This URL can be passed in as a parameter to the installer. The parameter is /url= Note: https or http should be used for the url depending on whether SSL/TLS is configured on the S-Series connection configuration for USS. For example, from a command window start the installer as: C:\vSEC_CMS_T_USS.exe /url=" Follow the instructions below to perform the install. 1. Double click the installer vsec_cms_t_uss.exe to start the installation. Click I Agree to proceed. 2. Select the location where the application will be installed to and click Install. 3. When the installation is finished click Close to complete. Note: If you wish to install the USS in silent mode you can perform this with the /S parameter passed from a command line. The /S is case sensitive. vsec:cms versasec.com 270(338)

271 Using USS Users who use the USS application can perform the following operations. In order to issue (and subsequently reissue) a smart card and unblock PIN (Crypto) using self-service the USS application will need to be configured to connect to the self-service web service. Issue a User Smart Card It is possible to issue either physical smart cards that are in possession of the end user OR virtual smart cards. In order to issue and manage virtual smart cards a TPM chip will need to be available on the device that the end user is using. In order to issue a user smart card from the My Profile page select the smart card reader that the smart card is inserted into from the available drop down list and click the Issue button to begin the issuance process. Note: If a virtual smart card is to be issued it will not be necessary to select the smart card from the drop down list. Simply click the Issue button in this case to proceed. From the Issue Smart Card dialog select the smart card template that is configured on the S- Series and click the Issue button to proceed. If Windows domain authentication was configured on the smart card template the user will be prompted to enter their domain and username along with their Windows domain password to authenticate. Click Ok to proceed. vsec:cms versasec.com 271(338)

272 Depending on what was configured on the smart card template a number of operations will be performed at this point. This may take a few minutes to complete. If the smart card template is configured to set a smart card PIN on the smart card at the end of the issuance process the dialog below will be presented. Enter a PIN that meets the PIN policy requirements for the smart card and click the Initiate button to proceed. On completion the dialog below will be presented. This completes the issuance. From the My Profile page you will now see a short summary of what has been issued to the smart card as in the example below. vsec:cms versasec.com 272(338)

273 Retire a User Smart Card It is possible to retire a smart card through the USS. It will be necessary to enable this feature in the Issuance section when configuring the self-service template as described in the Issuance section above. A retire card use case would typically be used in scenarios where a temporary card is issued for a user through USS and once the user returns with their primary card they can retire the temporary card thereby allowing the temporary card to be re-issued at a future time. From the My Profile page and with the card attached click the Retire smart card button to start the retire flow. The user will be required to enter their smart card PIN to authenticate before the issuance is allowed to proceed. vsec:cms versasec.com 273(338)

274 If the card is not already revoked the user will be prompted to select a reason for revoking the card. Select or add an appropriate reason and click Ok to proceed. On completion the smart card will be in a retired state and can be re-used to be issued to another user if required. Reissue Certificate on Smart Card When a smart card has been issued with a certificate(s) it is possible to reissue the certificate on the smart card. For example, a smart card certificate maybe about to expire so it would be necessary to reissue the certificate on the smart card to ensure that the certificate remains valid. From the My Certificates page select the certificate and click the Reissue button to reissue the certificate. The user will be prompted to verify that they wish to reissue their certificate. Click Yes to proceed. The user will be prompted to enter their smart card PIN to authenticate and click Ok to proceed and complete the operation. Change Smart Card PIN In order to change the PIN set on the smart card, from the USS console select the My PIN page and select the Change PIN radio button. Select the smart card reader that the smart card is inserted into from the available dropdown list and select the PIN that is to be changed. Enter the current PIN, along with new PIN and confirm. If the smart card supports PIN policy a window listing the PIN policy requirements that need to be met when setting a new PIN will be presented. The new PIN will need to fulfill these policy requirements in order to change the PIN. vsec:cms versasec.com 274(338)

275 Unblock PIN (Crypto) In order to unblock the PIN set on the smart card from the USS console select the My PIN page and select the Unblock PIN (Crypto) radio button. Select the smart card reader that the smart card is inserted into from the available dropdown list and select the PIN that is to be unblocked. Several different flows are supported here depending on the configuration set on the S-Series. The different flows possible are: Smart Card Not Managed by S-Series OR Self-Service Web Service Not Available If the smart card attached when using the USS is not managed by the S-Series or the selfservice web service not available (or it may not be configured) then it will be possible to unblock the smart card PIN using a challenge-response mechanism. The first step is to click the Get button. The USS will generate what is referred to as a challenge. This challenge value needs to be provided to the person who knows the administration key value of the smart card. vsec:cms versasec.com 275(338)

276 This person can then generate what is referred to as a cryptogram. The cryptogram is an unblock code. Enter this value into the field provided and enter a new, and confirm, PIN value and click the unblock button. Note: It is important that the smart card is not removed and that the page remains open during the process as it is a one to one relationship between the challenge and the cryptogram in this operation. Request Unblock through Approval Flow If the S-Series card template is configured that the user may request PIN unblock codes that require approval then the user will be presented with this view. The user will need to click the Request approval button and depending on what option is configured for User Authentication for PIN Unblock the user will be prompted to present their authentication credential. vsec:cms versasec.com 276(338)

277 On entering their authentication credential (if configured) the user (Requester) will be presented with an approval request code, generated by the S-Series, similar to the dialog below. This approval request code, RH-3541 in this example, will need to be provided to the person who can approve (the Approver) the request, for example, the user s manager. Note: The Approver will need to be issued with a smart card that has a self-service template enabled and that has a certificate installed on the smart card. The Approver will then need to start the USS application and go to the My Profile page and enter this code into the request field and click the Search button to retrieve details on the Requester. The Approver will be prompted to enter their smart card PIN to authenticate. Details about the requested approval will be displayed in the window for the approver to review. vsec:cms versasec.com 277(338)

278 If the Approver is satisfied they can then click the Approve button to approve the request. They will be prompted to enter their smart card PIN to authenticate to complete the approval. The approval request will be sent to the S-Series where the approval will be verified. The S-Series will generate a one-time unblock code, which is associated with the card that is being unblocked, and this will be used as an authentication ticket when the Requester is performing the unblock. The Requester should now receive an with the PIN unblock code. From the My PIN Unblock PIN (Crypto) page they should enter a new PIN and confirm. If the smart card supports PIN policy a window listing the PIN policy requirements that need to be met when setting a new PIN will be presented. The new PIN will need to fulfill these policy requirements in order to unblock the PIN. Click the Unblock button. The user will be prompted to enter the unblock code that they received. Click OK to complete the flow. Request Unblock through Request Flow If the S-Series card template is configured that the user may request PIN unblock codes then the user will be presented with this view. vsec:cms versasec.com 278(338)

279 The user will need to click the Request unblock code button and depending on what option is configured for User Authentication for PIN Unblock the user will be prompted to present their authentication credential. The S-Series will generate a one-time unblock code, which is associated with the card that is being unblocked, and this will be used as an authentication ticket when the Requester is performing the unblock. On entering their authentication credential (if configured) the user will be ed an unblock code generated by the S-Series and a success dialog with a message will be presented to the user. On receiving the unblock code the user should go to the My PIN Unblock PIN (Crypto) page and enter a new PIN and confirm. If the smart card supports PIN policy a window listing the PIN policy requirements that need to be met when setting a new PIN will be presented. The new PIN will need to fulfill these policy requirements in order to unblock the PIN. Click the Unblock button. The user will be prompted to enter the unblock code that they received. Click OK to complete the flow. vsec:cms versasec.com 279(338)

280 Request Unblock through Windows Domain User Authentication If the S-Series self-service card template is configured to use windows credentials to authenticate user for PIN unblock then the flow will be similar to below. Enter a new PIN and confirm. Ensure that the PIN entered meets the PIN policy as required. Click the Unblock button to proceed. The user will need to enter their Windows domain credentials to authenticate and click Ok to proceed. vsec:cms versasec.com 280(338)

281 A success dialog will appear on completion. Unblock PIN (PUC) A smart card can be unblocked by using a PIN Unblock Code (PUC). The smart card will need to support this feature. In order to use this feature, the smart card will need to be set with a PUC PIN. The person attempting to unblock the PIN using a PUC PIN will need to know the PUC PIN to perform this operation. From the USS console select the My PIN page and select the Unblock PIN (PUC) radio button. Select the smart card reader that the smart card is inserted into from the available dropdown list and select the PIN that is to be unblocked. Enter the PUC code along with new PIN and confirm. If the smart card supports PIN policy a window listing the PIN policy requirements that need to be met when setting a new PIN will be presented. The new PIN will need to fulfill these policy requirements in order to change the PIN. View Certificates on Smart Card In order to view the certificates stored on the smart card, from the USS console select the My Certificates page. Select the smart card reader that the smart card is inserted into to view the certificates, if any, that are installed on the smart card. By default the USS will present the following options: View the digital certificate(s) on the smart card, if any exist; Set certificate on the smart card as default if more than one certificate exists on the smart card. The rosette symbol beside the certificate will indicate the default certificate on the smart card if more than one certificate exists. vsec:cms versasec.com 281(338)

282 It is possible to extend the functionality available in this page. Two further buttons can be added to the page which can provide the additional functionality described below: Note: See the section below for details on how to add the additional functionality. Import certificate onto the smart card. The certificate format needs to be either PKCS#12 format (*.p12 or *.pfx) or a binary certificate format (*.cer or *.der). PKCS#12 format can have one or more certificates and may contain the certificate s key pair value. These types of files are usually protected with a password. Binary certificate format contains one certificate and have no keys; Delete certificate on the end users smart card. Set Self-Service Passphrase From the My Profile page a user can set a new self-service passphrase. Click the Set new Self-service passphrase button to start the flow. The user will be prompted to enter their smart card PIN to authenticate. Enter a new passphrase and confirm. It will be necessary to enter a passphrase that complies with the passphrase policy as set on the card template in the S-Series. vsec:cms versasec.com 282(338)

283 Advanced USS Configuration If it is required to create custom configurations for the USS application in order to extend or limit the functional options available to users of the application, then the application can be launched with a parameter that will allow an operator to create such a configuration. In order to customize the USS application start the already installed USS application from a command window with the following parameter -configure. It will be necessary to have administration rights on the computer to launch the application with this parameter. For example: C:\Program Files (x86)\versasec\vsec_cms S-Series USS>vSEC_CMS_T_USS.exe configure On launching the USS application in this mode the following options are available from the configure dialog: Note: When complete with configuring the USS application with the appropriate settings a file named cms_app.set will be created in the location where the USS application was installed to. This file should be used if a custom installer is created and installed to the same location as where the custom installer installs the USS application executable file. Settings Tab From the Settings tab three configuration sections are available. Check for card update on insert: vsec:cms versasec.com 283(338)

284 In this section it is possible to configure the behavior of the USS application when the application is started and the user attaches their smart card. Note: The USS needs to be running in the system tray for this feature to be available. Messages will appear as a balloon message dialog from the system tray. The following options are available: Do not select any of the options such that the USS application will not perform any check on the user smart card when attached. Select Check for PIN Change. The USS application will check if it is required for the user to change the PIN on the smart card when the smart card is attached to the user s computer. For example, it is possible to set a flag on the smart card to change the card PIN on first use. If this is set on the smart card the USS application will notify the user that they need to change their PIN. The smart card used will need to support the change PIN on first use feature. Select Check for PIN Unblock. The USS application will check if it is required for the user to unblock their PIN on the smart card when the smart card is attached to the user s computer. Select Check for card update. The USS application will check to see if there are any updates pending that need to be performed on the smart card such as certificate renewal. Smart Card Readers: If it is required to restrict what smart card reader(s) a user can have access to click the Configure button. This will open a dialog with a list of all available smart card readers connected to your computer. Select which reader(s) that should not be available when using the USS application. Smart Card Access: From the Smart Card Access section, it is possible to enable native access when Gemalto.NET, Raak Technologies C2 and Taglio C2 smart cards are used. This means that it is not necessary to have the minidriver installed on the user s computer for these card types. Note: If the S-Series application is to be used to manage other minidriver enabled smart cards, i.e. none Gemalto.NET, Raak Technologies C2 and Taglio C2 smart cards, this option should not be enabled. The configurations available are: Force minidriver usage. The USS application will only use the smart card minidriver installed on the user s computer if this option is configured. If there is no minidriver available then no operations will be possible with the smart card. Use minidriver if possible. The USS application will attempt to use the smart card minidriver installed on the user s computer if this option is configured. If there is no minidriver installed then the USS application will attempt to use native access. If native access is not supported for the smart card then no operations will be possible with the smart card. Use native access if possible. The USS application will attempt to use the native access to the smart card if this option is configured. If native access to the smart card is not supported then the USS application will attempt to use the minidriver interface. If there is no minidriver available then no operations will be possible with the smart card. Force native access. The USS application will only use the native access to the smart card if this option is configured. If native access to the smart card is not supported then no operations will be possible with the smart card. Permissions Tab vsec:cms versasec.com 284(338)

285 From the Permissions tab it is possible to configure the functionality available from the USS application. The table below lists all available functionality by default that is available in the USS application. Action Description Default Setting My Certificates My Smart Card My Profile My Team My Updates My PIN My Profile - Approve My Certificates - Delete This is the certificates page that is available from the USS main application window which will list all certificates on the user s smart card. This is a dialog that can be opened from the File menu. This will present detailed technical details about the attached user smart card which can be useful when troubleshooting issues. This is the page available from the USS main application window where a user can set an authentication passphrase for authenticating to the self-service server where configured; issue a blank smart card (either physical smart card or virtual smart card) and enter approval code. This is a placeholder for future functionality that will be added to the USS application. Currently no functionality will be available from this action item. This page will show pending card update operations that should be performed on the card. These would typically be certificate renewal when a certificate is due to expire. This is the page available from the USS main application window where a user can change their PIN and unblock their PIN. This button will be available to user s who can approve unblock PIN requests. This is the delete button available from the My Certificates page. If this button is available a user can select a certificate on the smart card and delete it. Available Available Available Hidden Hidden Available Available Hidden My Certificates This is the import button available from the My Hidden vsec:cms versasec.com 285(338)

286 Import My Certificates Default My Certificates Reissue Check for Updates Save diagnostic trace Key archival Recovery My Certificates Issue Certificates page. If this button is available a user can import a certificate onto the smart card. This is the default button available from the My Certificates page. If this button is available a user can select a certificate on the smart card and make it the default certificate on the smart card. This button will allow for the reissue of the certificate selected that was issued on the smart card during the smart card issuance. By default the USS application will be configured to not check for product updates. If this feature is enabled then the application will check the Versasec product updates web service and prompt the user to update their product version. This option is available from Help Diagnostic from the file menu. This will allow a user to save a diagnostic log which is useful when troubleshooting issues. This functionality will will allow a key to be archived and/or recovered to the smart card if this is configured on the smart card template. This is a placeholder for future functionality to be added to the USS. Hidden Available Hidden Available Available Hidden In order to configure any of the options available in the table above follow the instructions below. For example, if it is required to not allow users to delete certificates from the USS application then it will be necessary to perform the following steps: 1. Select the Action item My Certificates Delete and click the Delete button. 2. Select the item deleted in the previous step and from the drop down list select Hidden and click Add. vsec:cms versasec.com 286(338)

287 3. The item will now be listed in the main window and the Delete button will not be available from the My Certificates page of the USS application. Server Tab From the Server tab it is possible to configure the URL of the S-Series SOAP service that the USS application will communicate with when performing self-service operations. Enter a URL and click the Test button to ensure connectivity to the self-service server. A success dialog will appear if connectivity is possible. For example, if the S-Series server has an IP address of vsec:cms versasec.com 287(338)

288 and the connection on the S-Series is configured for HTTP access on port 8080 then the following should be entered into the Server URL field: It is necessary to add /uss after the host name/ip address and port number. Note: It may be necessary to open firewall ports in order for the USS to communicate to the S- Series. Create Custom USS Installer If it is required to create a custom application installer it will be necessary to perform the following operations to create a custom installer. This would typically be required if the USS application needed to be customized where it is required to not use the default USS configuration. The first step would be to install the USS in a test/lab environment. Then configure the USS to meet the specific configuration required for your environment. Any changes from the default configuration will be stored in the cms_app.set file in the root of the USS installation folder. Instructions on how to modify the default behavior of the USS application can be found in the advanced USS configuration above. Once the configuration changes have been made and validated then the next step will be to take all of the files in the root of the USS installation folder and incorporate them into your custom installer, for example an MSI installer. The custom installer should install all the files in the same structure as exist in the default USS installation. Additionally, a registry key to set the URL that the USS application needs to connect to for selfservice functionality should be set. This registry key is optional as the URL can also be set through advanced USS configuration as described above. Registry key for 32 bit clients: [HKEY_LOCAL_MACHINE\SOFTWARE\Versasec\vSEC_CMS_T] "soap.server.url"=" Registry key for 64 bit clients: [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Versasec\vSEC_CMS_T] "soap.server.url"=" Note: It is possible to start the USS application such that the application will run in the system tray of the user s computer. Pass the parameter s when starting the application, for example: C:\Program Files (x86)\versasec\vsec_cms S-Series USS>vSEC_CMS_T_USS.exe s Note: If the USS is configured to connect to the S-Series and for whatever reason the client is offline then when starting the USS a message dialog will be displayed warning the user that the USS could not connect to the S-Series. This message dialog can be suppressed by passing in a parameter when starting the application from command line. The parameter name is: -autoconnect, for example: C:\Program Files (x86)\versasec\vsec_cms S-Series USS>vSEC_CMS_T_USS.exe - autoconnect vsec:cms versasec.com 288(338)

289 Configure USS in Kiosk Mode If it is required to configure the USS to be used in kiosk mode it will be necessary to include a file named cms_app.cfg and this should be placed beside the USS executable file which is typically installed to C:\Program Files\Versasec\vSEC_CMS S-Series for 32bit operation systems and C:\Program Files (x86)\versasec\vsec_cms S-Series for 64bit operating systems. The contents of the file should be as below: <?xml version="1.0" encoding="utf-8"?> <config> <factory signature="kxpc+eqaym+dsqpx+ur6dycgzqgq3xl1bdbgmai89+8utnvvy1rcl73f+bsdsi11 XVJlBuwRHjhKFhpeNzcSIO7oykRyqJ/7DB/8YZ5rD7o/+p0uXNxzMpY6Va6I5WTUjaiw8KeZJ6uQ 10ye4VIuJ2fi8LBr/2WUZ+l39O5zW8k="> <std/> <force/> </factory> <oem> <std></std> <force> <option> <gui> <mode>x </mode> </gui> </option> </force> </oem> </config> The section <gui> needs to be set with the value x if the USS should be run in kiosk mode. In order to run the USS in normal mode then change this value to x Note: If the USS is to be run in kiosk mode and is to be included in a custom USS installer then the file cms_app.cfg should be added to the custom installer as described in the previous section Create Custom USS Installer above. vsec:cms versasec.com 289(338)

290 Using Operator Console Service It is possible to install the S-Series on an operator s client host whereby the operator can connect to the S-Series service over a SOAP/HTTP connection. This will remove the requirement for operator s to connect to the S-Series via an RDP session. This section will describe how this feature can be setup and used. Important: It is required to have English installed as Region and Language settings on the host where the operator console is to be installed. Step 1 Configure Operator Console Service On the server side it will be necessary to configure the Operator Console Service on the S- Series. Refer to section above that describe this setup. Step 2 Install the S-Series on Operator Client On an operator s client host run the S-Series installer vsec_cms_tsx.y.exe, where X and Y are the current versions of the installer. During the installation you will be prompted to select the installation type. Select the Operator Client Console option. It will be necessary to configure the URL of the operator console service as configured in Step 1 above. When the operator attempts to log on for the first time after installing the operator console application the operator will be prompted to enter the URL for server. Enter the URL that was configured in Step 1. Alternatively, it is possible to set the URL for the operator console service that is already configured (in Step 1) automatically. It will be necessary to create a file called install.cfg and this file should be placed beside the installer executable. The contents of this file should be as below: [soap.adm] url= where <S-Series_host_name> is the host name of the server where the operator console service is running and <port> is the port number that the operator console service is listening on. The protocol can be HTTP or HTTPS. It is recommended to use HTTPS. For example, if the service is configured on a host called mycms.demo.com and the port is 8443 on a secure channel then the contents of this file would be: [soap.adm] url= mycms.demo.com:8443/adm Important: The file install.cfg should be placed beside the installer exe when starting the installer. The installer will create a registry key of type string with the URL set in this file in the following location: HKLM/Software/Wow6432Node/Versatile Security/vSEC_CMS_T/soap.adm.server.url Alternatively, the installer can be run silently. In order to run the installer silently from a command prompt run: > vsec_cms_s4.4.exe /S -soap_client where <S-Series_host_name> is the host name of the server where the operator console service is running and <port> is the port number that the operator console service is listening on. vsec:cms versasec.com 290(338)

291 Step 3 Log onto S-Series After the installation completes attach an operator card. Start the application from the short cut icon on the desktop. The operator should now be able to perform CMS operations as required. Important: Not all operations will be possible when logging onto the S-Series as it will not be possible to get access to the local resources on the server where the S-Series is running. For example, it will not be possible to configure the data export feature as it is not possible to get access to the local file system on the server which is required when configuring data export. All configurations that are not possible to access in this mode will be marked with a message Configuration requires local access. vsec:cms versasec.com 291(338)

292 Manage Computer and Application Certificates It is possible to manage certificates that are used as computer, such as server certificates, and application certificates, such as web applications through the S-Series. Follow the instructions in this section on how to configure and manage certificates that can be managed in this scenario. Step 1 Setup Certificate Management Template The first task is to add a certificate management template that will be used to manage the certificate(s) that are to be managed. In this example computer certificates will be managed. From Templates Certificate Management Templates click the Add button. Enter a template name and a comment if required. For Certificate Authority enable the Connect to CA check box and select the CA that will be used when managing the certificates. Important: Only an already configured MS CA template can currently be used. For the Revocation Options the Revoke certificates at CA will always be enabled and cannot be disabled. It is shown here for information purposes. Enable the Force certificate revocation at CA (Fail if CA is not reachable) if it is required to abort the certificate revocation if for some reason the CA is not available. If this option is not enabled and during the revocation the CA is not available the S-Series will cache the revocation request and attempt to revoke the certificate when an operator logs on again. In the Expiration Options enable the Notify when certificate expires option and enter the number of days before the certificate expiration that the person who is configured to be notified shall receive an notification. Click the Notifications button to configure the notification. Click the Add button to add a template. Enter a template name and select the Outgoing Server from the drop down list. The server connection will need to be already configured from Options Connections . Click the Edit template button. Enter a From and To vsec:cms versasec.com 292(338)

293 address into the fields available. Enter a CC and BCC if required. Enter an appropriate subject for the . For the body two options are available html or text. If HTML is selected it will be necessary to import a MHT file which contains the content of the body. MHT files can be created using MS Word for example. S-Series variable names can be used which will be replaced with actual data from a directory. If text is selected enter the appropriate message body and use S-Series variables to populate specific details. When editing text in this window to go to a new line hit Ctrl + Enter. Important: When adding variable placeholders to either MHTML or plain text the variable needs to be entered correctly i.e. the variables are case sensitive. From the Permissions section it is possible to configure the operator roles who will be allowed to configure this template. Click the Edit button to adjust the operator role(s) who are allowed to configure this template. Step 2 Configure Certificate Requests The next step will be to add server certificates that can be managed by the S-Series. From the Actions Request Certificates page click the Add button to browse to a location where certificate requests of type PKCS#10 are located and select one. Additionally it is possible to select certificates of CER or DER format. Important: Only certificate requests of type PKCS#10 are currently supported. Once certificates are added you will see them displayed similar to below. Depending on what type of certificate that was added different options will be available. If the certificate added is of type CER or DER then select the certificate from the table and click the Manage button. The Status will change to Managed in the table. If the certificate is of type PKCS#10 then select the certificate request from the table and click the Request button. The S-Series in this case will be acting as a PKCS#10 proxy. The request will be sent to the MS CA already configured in step 1 above. Once the request has been successfully processed by the CA the status will change to Issued. Then it will be possible to select the entry and click the Manage button to allow the S-Series to fully manage the lifecycle of the certificate. The status will state at this time that the certificate is Managed not saved. This means that the certificate is fully managed by the S-Series but the certificate has not been saved as a CER or vsec:cms versasec.com 293(338)

294 DER. This may be necessary to save a certificate as a CER or DER and provided back to the original requestor for example. Important: Once a certificate is managed by the S-Series it can be deleted from the table. Select any record in the table and click the Delete button to delete the record from the table. This will not result in the S-Series terminating the management of the lifecycle of the certificate. Select any record in the table and click the View button to see additional information about the certificate or certificate request if required. Select any record in the table and click the Save button to save the selected managed certificate as a CER or DER certificate. The Save button will only be available for certificates of type PKCS#10 or for certificates that have been issued from a PKCS#10. Step 3 Manage Certificates from Repository Once the certificate(s) have been added through step 2 above it is possible to view the status of these certificates from the Repository Certificates page. All certificates, including certificates that are managed on smart card tokens, will be viewable from here. It is possible to filter the records based on the template or based the expiration criteria. The Certificate Expiration view on the right will give a visual representation of the current status of all certificates managed by the S-Series. Select an entry and click the View button to see additional information about the certificate. Important: The S-Series will only store specific information about the certificate and not the entire certificate file. The entire information that the S-Series will store for the certificate is displayed in the View page. Select an entry and click the Revoke button to revoke the certificate on the CA. It will only be possible to revoke certificates that are not managed and issued to smart card tokens in this case. Select an entry and click the Delete button to remove the management of the certificate from the S-Series. Click the Copy button to copy all of the table information into the system clipboard from where it can be saved as a CSV file. Customize Subject in Certificate Request The holder of the private key associated with a certificate is known as the subject. Because the subject name can vary greatly depending on who or what the subject is, some flexibility is needed vsec:cms versasec.com 294(338)

295 when providing the subject name in the certificate request. This section will describe how it is possible to configure the S-Series such that it will be possible to customize the values that are set in the certificate subject. Important: It will only be possible to configure this feature for the Microsoft Certificate Services PKI. Step 1 Configure CA Certificate Template The first step is to configure the certificate template on the MS CA to allow certificate requests to use customizable values in the request to be used as the subject. From the certificate template on the CA enable the Supply in the request radio button in the Subject Name tab. Step 2 Configure CA Connection Template From Options Connections click the Configure button for Certificate Authorities. Select the CA Server Template already configured if one has been already configured and click the Edit button otherwise click the Add button to add a new template (refer to the section above for details on how to add a new template). Click the Templates button. vsec:cms versasec.com 295(338)

296 Select the template already configured on the MS CA template as described in Step 1. The Fields button will become available. Click the Fields button. By default the Common Name (CN) name will be populated in the table. This is the common name that will be sent to the CA when the certificate request is sent to the CA. It is possible to customize what this value should be by clicking the Value field. This will open the dialog as below. Enable the Use variable radio button and select the place holder variable that is mapped to an attribute in your directory. It is also possible to add a place holder variable by clicking the Add button. Enable the Use free text radio button and it is possible to include an already configured place holder variable and concatenate this with some free text. For example, in the dialog below the Common Name (CN) will be constructed from the place holder variable ${CommonName} with free text of SomeFreeText appended to the end of the ${CommonName} value. vsec:cms versasec.com 296(338)

297 Click the Fields button to open a dialog from where additional fields can be configured that can be added to the certificate request. All available values are listed in the Available window. Select the required value and click the >> arrow to add this as a field that will be used for the certificate request. For example if an Organizational Unit (OU) and Domain Controller (DC) fields were required, select the value from the Available window and add this to the Selected window. For example a user has a CN=Joe Bloggs, a OU=MyOrg and a DC=MyCompany, then the certificate subject request would be as: CN=Joe Bloggs, OU=MyOrg, DC=MyCompany. How the values are listed in the Selected window will determine how the fields are set for the subject in the certificate request. Use the Up and Down buttons to change the order for how these fields will be set in the certificate request. vsec:cms versasec.com 297(338)

298 Configure HSM Support A HSM can be used to store the master key(s) used when performing administration key operations with the S-Series such as registering a smart card token or PIN unblock operations. The S-Series makes use of the PKCS#11 interface available in the HSM. All management functions around the master key stored on the HSM should be managed by the HSM key management tools available from the HSM vendor. Currently the S-Series supports the following HSMs: Safenet Luna SA; Safenet ProtectServer; Thales nshield; Ultimaco SafeGuard CryptoServer; Black Vault. Important: It is expected that the HSM PKCS#11 module is installed and configured to connect to the HSM on the server where the S-Series is installed. It is required that the 32 bit version (dll) of the HSM PKCS#11 module is available. The S-Series will search in the system path for the PKCS#11 module. From Options Connections click the Configure button for Hardware Security Module (HSM) and click the Add button to setup a new connection. Enter a template name and from the drop down list select the HSM that you plan to use. In the example below we demonstrate how a typical connection to a Safenet Luna SA HSM would be configured. The PKSC#11 module will be automatically detected and populated into the DLL name field. The URL will be read from the configuration file that is typically included as part of the HSM configuration. Select the slot that the master key will reside in from the available slot list in the drop down list. Enter the PIN credential for the user who has access to the slot and click Check connection to test connectivity. The PIN credential may not be required if the HSM does not require a PIN credential as the HSM may require that the PIN credential is entered on the HSM directly. Click Save to save and close the configuration. Once the connection is setup it will be necessary to create an Operator Service Key Store (OSKS). Refer to the section above for details on this. Once this has been setup you can continue with the setup below. vsec:cms versasec.com 298(338)

299 Generate New Master Key If it is required to generate a new master key, either on the operator token or on the HSM follow the instruction here. Important: It is important to remember that any new user smart card administration key will be diversified from the newly generated master key. Any user smart card administration key diversified from the old administration key of the S-Series application will remain operable. However, it is recommended to re-register those user cards issued from the old administration key of the S-Series. This will update the user s smart card administration key so that it is diversified from the new master key. From Options Master Key click the Generate new master key button to start the process. When the dialog below is presented select On vsec:cms Operator Card if it is required that the new master key is generated on the connected operator smart card token. The new master key will also be migrated to the HSM and any other operator card used on the S-Series. For an operator card the migration will take place the next time an operator logs onto the S-Series. Select the option On server side HSM if it is required that the new master key should be generate on the HSM only. In this case the new master key will only be available on the HSM. Therefore all operations that require master key access to the newly generated master key will need to use the HSM. This will mean that the OSKS will need to be activated from the Options Operators page. For any smart card that was previously managed by the S-Series with an operator card that used an older master key that was not generated by the HSM it will be possible to continue to manage these cards but it is recommended to update these cards so that they will be managed by the newly created master key. Important: Once the HSM master key is generated it will not be possible to roll back to use a master key stored on the operator smart card(s). For any smart card that was previously managed by the S-Series with an operator card that used an older master key that was not generated by the HSM it will be possible to continue to manage these cards but it is recommended to update these cards so that they will be managed by the newly created master key. Restore or Migrate to New HSM If it is required to move and/or restore your current HSM then follow the instructions in this section. vsec:cms versasec.com 299(338)

300 Important: It is expected that proper backup procedures have been used when backing up your current HSM system such that any S-Series master key(s) are stored correctly by your HSM backup procedures. This is out of scope for the S-Series. 1. From Options Operators select the HSM key store and delete it. You will be prompted that removing the key store will impact the listed card templates in the warning dialog. Select Yes to continue. As it is expected that the HSM is unavailable you will receive another warning dialog informing you that the HSM is currently not available and that the master key(s) previously stored on the HSM cannot be deleted. It is expected that the HSM administrator would manage any clean up tasks regarding these key(s). Select Yes to continue and complete the deletion. 2. Add a new connection for the HSM from Options Connections similar to what is described in the Configure HSM Support above. When you click the Check connection button you will be prompted that the connection was established and all master key(s) found were successfully verified. Click the Save button on the connection dialog. You will be prompted that S-Series master key(s) were found and asked whether you want to make them available to the S-Series. Select Yes to continue. The S-Series will automatically create a new key store which you can verify and activate from the Options Operators page. 3. From Options Operators select the newly created key store. It should start with a name Restored from and click the Activate button to complete the flow. Additional information Any master key added to the HSM will have a label starting with CMS MK on the HSM. Depending on whether the master key is created and stored on operator smart card tokens and synced with the HSM OR the master key is generated only on the HSM the label will have a different value depending on which option is selected. For a master key created and stored on operator smart card tokens and synced with the HSM the label on the HSM will be: CMS MK 00, if this was the first key. Any additional key(s) would be incremented by one; therefore a second master key would have a value of CMS MK 01 and so on. For a master key generated only on the HSM the label on the HSM will be: CMS MK 4100, if this was the first key. Any additional key(s) would be incremented by one; therefore a second master key would have a value of CMS MK 4101 and so on. vsec:cms versasec.com 300(338)

301 Using Elliptic Curve Cryptography It is possible to use Elliptic Curve Cryptography (ECC) when issuing certificates using the S- Series. The S-Series supports the following NIST curves: P256; P384; P521. Also the smart card token used needs to support the generation and import of these NIST curves. Please refer to your smart card vendor documentation to determine if the smart card that you wish to use supports ECC with the NIST curves listed above. In order to use ECC it will be necessary to configure the certificate template on the CA to use ECC. In this section we will describe how to configure a smart card logon certificate template for a Microsoft CA running on a Windows 2012 R2 server. Configure ECC Support on MS CA In this example we will show how to configure a smart card logon template on a MS CA that can then be used by the S-Series to issue a Windows logon certificate to a smart card token for MS Windows logon. Important: This section is an example only and should not be viewed as a definitive guideline for configuring your specific CA certificate templates. Step 1 Configure Certificate Template on CA From the Certificate Template Console window for MS CA select the default Smartcard Logon template and right click and select Duplicate Template. From the Compatibility tab select the settings as below. From the Request Handling tab select the settings as below. vsec:cms versasec.com 301(338)

302 From the Cryptography tab select the settings as below. From the Issuance Requirements tab select the settings as below. vsec:cms versasec.com 302(338)

303 Save the template and issue the template through your CA as normal. On the S-Series from the Options Connections page select the Certificate Authorities template and click Edit. Click the Templates button and click Update to update the available certificate templates from the CA. Step 2 Configure Windows to Support ECC Certificate for Logon By default, the ECC certificate won t be shown on the Windows login screen. It will be necessary to enable the group policy Allow ECC certificates to be used for logon and authentication. This can be enabled, for example, from the Local Group Policy Editor window. Navigate to Computer Configuration - Administrative Templates - Windows Components - Smart Card and double click Allow ECC certificates to be used for logon and authentication and select the Enabled option. Step 3 Configure Card Template On the S-Series configure a card template to use the certificate template created in step 1 and issue a card as normal. vsec:cms versasec.com 303(338)

304 Smart Card Stock Management It is possible to manage how smart card tokens are allowed to be registered and managed with the S-Series based on the card serial number (CSN) as delivered from the smart card provider. Typically the smart card provider can provide a list of the CSNs delivered to an end customer. Then this list of CSNs can be used to manage and control what cards are allowed to be registered and managed. For example, Company XYZ orders 500 smart card tokens from a smart card provider. The smart card provider delivers the order along with a list of the corresponding CSNs. Company XYZ want to ensure that only smart card tokens with the CSNs provided in the list are allowed to be registered and issued in their organization. Using the S-Series it is possible to ensure that this requirement is met. Configure Smart Card Stock Management This section will describe how you can configure smart card stock management in the S-Series. Typically the smart card tokens are provided in a box from the smart card provider. For the purposes of the description below we will use a simple example where a smart card provider ships a box of smart cards that contain 2 smart card tokens along with a file listing the CSNs of these smart card tokens. Step 1 Enable Support From the file menu select File Program Settings. Enable the Enable smart card stock management check box as indicated in dialog below. Click the Configure locations button to add locations where the particular box of smart cards is shipped to. This can be useful if it is required to keep track of where a particular box of cards were shipped to for auditing and traceability purposes. In the Location field enter the name of the location required and click Add. If it is required to delete and entry just select and click Delete. If it is required to change the name of the location select an entry and change the name and click the Update button. Click Ok to save and close. vsec:cms versasec.com 304(338)

305 Step 2 Add Stock File It will be necessary to import the list of CSNs as provided by the smart card provider. From Repository Smart Card Stock click the Add button. Enter a name for the particular box of smart card tokens that have been delivered. Enter a more descriptive comment if required. From the Location drop down list select the location that this record should be associated with. Click the Load from file button and browse to the location where the file which contains the list of CSNs exists. The file should be a text file and the possible supported formats are: Example 1: CB2C3C7036C0002CCB2C3C71 D2DD3C D2DD3C72 Example 2: CSN D75B1DFFFF A5C0FFFF Example 3: CSN,BOXNAME D75B1DFFFF,"Box 1" A5C0FFFF,"Box 1" Example 4: BOXNAME,CSN "Box 1",CB2C3C7036C0002CCB2C3C71 "Box 1",D2DD3C D2DD3C71 You should now have an entry in the Box drop down list. Select the entry in the drop down list. The window will now update with complete list of CSNs as provided by the smart card provider as exist in the file just loaded. By default the cards will be locked as indicated by the enabled check box. This means that if you attempt to register and manage any smart card token from this box the S-Series will not allow such operations. If the smart card tokens are to be allowed to be registered and managed right away then uncheck the Cards locked check box. vsec:cms versasec.com 305(338)

306 Additional Information From Repository Smart Card Stock it will be possible to perform additional tasks from already loaded CSN files. For example, in the previous steps we imported a file of CSNs. These loaded CSNs would appear here as a table. Select an entry in the table and click the Trans. log(s) button to view transaction logs for the particular entry selected in the table. Select an entry in the table and click the Unlock button to unlock the CSNs for the entry selected. This will open a dialog similar to below. Enable the Unlock all cards from selected box if it is required to unlock all CSNs in the loaded CSN file added. Enable the Unlock all cards with following serial numbers and click the Load from file button to select a file that contains all of the CSNs that you wish to unlock. In order to use this feature it will be necessary to enable this in any card template in which it is to be used. For any card template it will be necessary to enable the Only issue cards from smart card stock in the Issue Card section of the card template in the General Options section. vsec:cms versasec.com 306(338)

307 Configure Alt-Security-Identities Management It is possible to configure mapping of user certificates to altsecurityidentities attribute in Active Directory. In order to configure support for this feature it needs to be enabled in the particular card template that this feature is to be used. Important: This feature is currently supported for MS Active Directory only. From Templates Card Templates click the link for Issue Card. In the Enroll Certificates section when you either add a certificate or edit an existing certificate in the table where the particular certificate needs to be mapped to altsecurityidentities attribute then enable the Update (altsecurityidentities) check box. It is important that the AD connection that you are connecting with for the particular template has write permissions. From Options Connections ensure that you have configured a connection to AD with a credential that has appropriate permissions to write to the altsecurityidentities attribute. vsec:cms versasec.com 307(338)

308 Configure Validation Steps before Issuance It may be required to perform some validation steps before a smart card token is issued to a user. For example, we may want to check that the user is active in the user directory before we allow the smart card token to be issued. This is possible to configure in the S-Series. In this section, we will use an example scenario whereby it is required that the smart card token unique serial number (CSN) is validated against a directory attribute value for the card user to ensure that only a specific card can be issued to a specific user. Step 1 Create Input File In order to cover the scenario described above it is required to create an input file. The input file should be copied to this folder, if the default installation of the S-Series is selected during installation, to C:\Program Files (x86)\versasec\vsec_cms S-Series\cms_db\import. The file extension should be.in, for example Input_File_1.in. Once the file is copied to this folder you will notice that the file name changes to File_1.in_ succ (if the same file name is used as in this example). The file extension.succ indicates that the data was successfully imported into the database. The input file should be an xml file configured similar to below. <?xml version="1.0" encoding="utf-8"?> <data> <e id=" de11200affff"> <v name="cms_variable_id" value="card1"/> </e> <e id=" de112345ffff"> <v name="cms_variable_id" value="card2"/> </e> </data> <cms_config> <v name="variablename" value="card_number"/> </cms_config> In the example above the <data> tag contains the information about the actual smart card token unique serial number (CSN). The data in the example above <e id=" de11200affff"> <v name="cms_variable_id" value="card1"/> </e> will import into the CMS database a smart card CSN with a value of DE11200AFFFF and this value will need to correspond to a user in the directory of a value of card1. This will mean that during card issuance the S-Series will check that the card that is being issued, based on the CSN, to a particular user will have a specific value in a specific directory attribute of card1. If this condition is not met then the card issuance will fail. The data in the <cms_config> <v name="variablename" value="card_number"/> </cms_config> is used by the S-Series to create the database record of the data imported above. The value instructs the S-Series to create the database file with a name called card_number and this file is saved with a.db file extension. This file will be saved to C:\Program Files (x86)\versasec\vsec_cms S-Series\cms_db\data if the default installation of the S-Series is selected during installation. vsec:cms versasec.com 308(338)

309 Step 2 Add Variable for Imported Data It will be necessary to add a variable such that the imported data in step 1 can be mapped to this variable and used when checking the validation during the smart card token issuance. From Options Variables click the Add button. In the first drop down list select Imported. In the Variable name drop down list you should see the value CMS_Variable_ID as the variable name configured in the input file in step 1 above in this example. Enter some label information that you wish to identify the variable that may be used later if required. In the Parameter drop down list select the already available S-Series variables, in this case we want this variable to match the CSN for the card that is to be issued. Select the mandatory check box if this variable is required to contain data for any template that it may be used in. Click Ok to save and add the variable to the system. Step 3 Add Variable for Directory Attribute From Options Variables click the Add button. In the first drop down list select Directory (DN). In the Variable name field enter an appropriate variable name. Enter some label information that you wish to identify the variable that may be used later if required. In the Description field enter a more descriptive description of what this variable is used for. Select the mandatory check box if this variable is required to contain data for any template that it may be used in. Click Ok to save and add the variable to the system. Step 4 Configure Card Template It will be necessary to configure a card template that will be used when issuing the smart card token. It is presumed that all back-end connections to directories and CA are in place. vsec:cms versasec.com 309(338)

310 From Templates Card Templates click the Add button and click the edit link beside General. Enter a template name and for card type attach the card you wish to manage for this template and click the Detect button. In this example, we will manage a Gemalto ID Prime MD card. Leave all other settings as is and click Ok to close and save. Click the edit link beside Issue Card. Enable the Assign user ID and select the directory that you will use from the drop down list. Click the Manage button. Select the directory that you will use and click the Edit button. Click the Edit button. Select the variable added in step 3 and in the variable field enter the correct directory attribute name in the field provided. For example, if the attribute name value in your directory is usercardid then the dialog would look similar to below Click Ok to save and close out. When back at main dialog for Issue Card configure whatever other settings required for your particular template and click Ok button to save and close the dialog. Click the Edit link again for the General option. In the Permissions section, you will configure the settings for the validation steps. Enable the Access rights per individual lifecycle tasks if it is required to configure the validation steps per individual lifecycle task for the particular card template. Otherwise do not enable this if the validation step is to be global for the particular card template. If the Access rights per individual lifecycle tasks is not enabled, then click the Manage button in the Validate before issuance section. Click Add. Enter a template name and from the drop down list select Verify variables (Verify variable values). In the Source value field enter the variable name as configured in step 3. It is possible to search for the variable, if you know the name, in the Search field or you can select the variable from the Variables drop down list and click the Copy button. You can then paste the value into the Source value field. Select the comparison that needs to be performed from the drop down list. Similarly, it is possible to search for the variable, if you know the name, in the Search field or you can select the variable from the Variables drop down list and click the Copy button. You can then paste the value into the Reference value field. Enable the Must have values check box if it is required that a value needs to be returned when performing the validation. Enable the Case sensitive check box if when performing the validation the data validated needs to match with data that was imported and that the matched data should be valid including the case sensitivity. Click the Save button to save and close. vsec:cms versasec.com 310(338)

311 You can now perform a card issuance from the Lifecycle page and validate that the data imported was successful and was successfully validated. vsec:cms versasec.com 311(338)

312 Configure Pre-Issuance In some use cases, it may be required to perform some pre-issuance assignment before a smart card token is actually issued. For example, it may be required that a particular smart card token with a specific CSN be pre-issued to a particular user and additionally a particular card template. This will mean that when the smart card token is actually issued the S-Series will be able to determine from the smart card CSN that the particular smart card token is to be assigned to a particular user and alternatively to a particular smart card template. Important: If a smart card token that was pre-issued is issued then it will no longer be in a pre-issued state. Therefore, if you revoked retired unregistered the smart card token it will not go into a pre-issue state. Follow the instructions in this section to configure the S-Series to allow for this type of preissuance assignment. It is possible to provide the pre-issuance information in two ways. Either through an input file that is used to import the data through a manual import wizard or through an input file that will automatically be read by the S-Series when it detects that a new input file has been placed in a pre-configured folder on the system. Pre-issuance using Import Wizard Step 1 Create Input File The input file which will contain the smart card records should be constructed like below. Important: The file needs to be saved as UTF-8 encoding format. From Notepad, for example, it is possible to specify the encoding format that the file will be saved as. V;1.0 T;CSN;DN;TEMPLATE C;" D0D2A0AFFFF";"CN=Sam Sim,DC=Sample,DC=local";"SC Logon Template" C;" D0D4456FFFF";"CN=Tom Lim,DC=Sample,DC=local";"SC Logon Template" The first line in the input file is mandatory and should not be changed. The second line are identifiers for the actual input data specific for the smart card token and the user who the smart card token will be pre-issued to. In the input file in this example T is a tag for the title, CSN is the smart card token serial number, DN is the distinguished name of the user as exists in the user directory and TEMPLATE is the actual card template that the smart card token will be pre-issued to in the S-Series. The character ; acts as the separator in this case. Place all input data in quotation characters as in the sample data here. It is possible to add comments to the input file using # character. The C at the start of each input record identifies that the input record is for a smart card token in this case. Step 2 Import Input File From Repository Smart Card Transfer in the Pre-issuance section click the Proceed button. Click the Browse to browse to the file created in step 1. Select the separator type from the drop down list, the character ; in this example. In the Select smart card template section three options are available: Select the Do not assign template if it is required to not assigned the input record(s) to a card template. If this option is selected, then this will overwrite any card template that may be already defined in the input file. Select the Assign template from file if it is required to assign the input record to the card template as defined in the input file. In this example, we will select this option. vsec:cms versasec.com 312(338)

313 Select Assign this template and select from the available drop down list of available card templates on the system. Again, this will overwrite any card template that may be already defined in the input file. Click Proceed to progress. Enter the operator smart card PIN code when prompted to proceed. It is possible to filter the entries based on their user directory. In this example, all users are from the same user directory so no filtering is performed. If you have a much larger input file with users from different directory locations and it was required to filter out specific users from specific directory locations then enable the filter option and select the directory locations that are to be used. Click Next to continue. It is possible to filter the entries based on the smart card template in the input file. In this example, all users are to be assigned to the same card template so no filtering is performed. If you have a much larger input file with users assigned to different card templates and it was required to filter out specific users from specific card templates, then enable the filter option and select the card template that are to be used. Click Next to continue. vsec:cms versasec.com 313(338)

314 The complete list of users that are to be imported in pre-issued state is displayed. All entries will be automatically selected. Uncheck the import check box for any user(s) that you do not wish to import at this time. Click Import to proceed. An information dialog will popup. Click Yes to proceed. On completion, a summary dialog will appear. Click the Export button to save the summary report to a html file. Click Close to complete and close out. Step 3 Issue Smart Card Token When it is time to actually issue the card from the Lifecycle page attach the smart card token that is to be issued. The S-Series will determine from the smart card token CSN that the smart card token has been pre-issued. The Lifecycle page will show that the smart card token is in an unregistered state but you will see that there is a chain symbol indicating that this particular smart card token has been pre-issued to the particular user and assigned to a particular smart card vsec:cms versasec.com 314(338)

315 template. When the operator issues the smart card token the system will automatically issue the token to the pre-issued user using the pre-assigned card template. Pre-issuance using Auto-detection Using this mechanism, it is possible to place pre-configured input files in a folder which the S- Series service will automatically detect and import into the system in a pre-issued state. Step 1 Create Input File An input file named import.cfg should be placed in a folder which will be the root location of where input records for pre-issued smart card token can be placed. Within this folder it is possible to have sub-folders that contain input files. The input file import.cfg should be constructed like below. Important: The file needs to be saved as UTF-8 encoding format. From Notepad, for example, it is possible to specify the encoding format that the file will be saved as. [import] template=1 seperator=; The first line is mandatory and should be as defined above. The template name can have three values. If the value is 1 then this means that no card template will be assigned to the card record as read from the actual card record input file; If the value is 2 then this means that the card template will be taken from the actual card record input file; If the value contains a name, then this name will be used as the card template that the preissued smart card token will be pre-assigned to in the system. The separator informs the system that in this example the ; character will be used as the input records separator. Typically, the card input record file will be constructed as a CSV file. vsec:cms versasec.com 315(338)

316 The input file(s) should be constructed as below if template=1 as described in previous section is set. V;1.0 T;CSN;DN;TEMPLATE C;" D0D2A0AFFFF";"CN=Sam Sim,DC=Sample,DC=local" C;" D0D4456FFFF";"CN=Tom Lim,DC=Sample,DC=local" The card record input file(s) should be constructed as below if template=2 as described in previous section is set. V;1.0 T;CSN;DN;TEMPLATE C;" D0D2A0AFFFF";"CN=Sam Sim,DC=Sample,DC=local";"SC Logon Template" C;" D0D4456FFFF";"CN=Tom Lim,DC=Sample,DC=local";"SC Logon Template" The card record input file(s) should be constructed as below if template=sc Logon Template as described in previous section is set. V;1.0 T;CSN;DN;TEMPLATE C;" D0D2A0AFFFF";"CN=Sam Sim,DC=Sample,DC=local" C;" D0D4456FFFF";"CN=Tom Lim,DC=Sample,DC=local" The first line in the input file is mandatory and should not be changed. The second line are identifiers for the actual input data specific for the smart card token and the user who the smart card token will be pre-issued to. In the input file in this example T is a tag for the title, CSN is the smart card token serial number, DN is the distinguished name of the user as exists in the user directory and TEMPLATE is the actual card template that the smart card token will be pre-issued to in the S-Series. The character ; acts as the separator in this case. Place all input data in quotation characters as in the sample data here. It is possible to add comments to the input file using # character. The C at the start of each input record identifies that the input record is for a smart card token in this case. Step 2 Automatically Import from Input File From Repository Smart Card Transfer in the Pre-issuance section click the Auto collect button. Click the Browse button to navigate to the folder where the S-Series service will monitor for input files to automatically import pre-issued card records. Alternatively, you can enter a relative folder path from the location where the S-Series was installed to. If the installation was performed to the default location, then this location would be C:\Program Files (x86)\versasec\vsec_cms S- Series. For File extension enter the file extension for the card input records. The card input record(s) file is typically a CSV file so therefore enter csv in the field provided. Enable the Enabled check box to activate this feature. Click the Preserve input check box to make the system save the input record file and this will be saved with a.succ file extension. Enable the Store report check box if it is required that the system will generate a report file for every input record file that is processed. Click Ok to save and close. vsec:cms versasec.com 316(338)

317 Step 3 Issue Smart Card Token When it is time to actually issue the card from the Lifecycle page attach the smart card token that is to be issued. The S-Series will determine from the smart card token CSN that the smart card token has been pre-issued. The Lifecycle page will show that the smart card token is in an unregistered state but you will see that there is a chain symbol indicating that this particular smart card token has been pre-issued to the particular user and assigned to a particular smart card template. When the operator issues the smart card token the system will automatically issue the token to the pre-issued user using the pre-assigned card template. vsec:cms versasec.com 317(338)

318 Configure Extended Permission Checks It is possible to use Windows built in Active Directory (AD) extended rights checks to configure operators to be able perform specific life cycle tasks in the S-Series. Life cycle tasks are the tasks that can be performed within a specific card template. Important: It is expected that any integrator performing this task has full understanding and experience in using AD extended rights. In order to describe how this feature can be used we will use a simple scenario to show how this can be configured. In the example scenario, we will have 2 operators. One operator will be allowed to perform smart card issuance only for a particular user and the other operator will be able to perform online smart card PIN unblock only for a particular user. For the example below it is presumed that connections to back end user directory and CA have been already configured in the S-Series. Step 1 Create Card Template From Templates Card Templates click the Add button. From General click the Edit link and enter a template name and attach the smart card token that you wish to manage with this template and click the Detect button. In the Permissions section enable the Access rights per individual lifecycle tasks check box and click Ok to save and close this dialog. Click the Edit link for Issue Card. Under User ID Options enable the Assign user ID and select the already configured connection to your user directory from the drop down list. Enable the Validate before issuance check box and click the Manage button. Click the Add button. Enter a template name. In this example, we will create a template that will be used when performing the life cycle task for smart card token issuance. In the first drop down list select AD Extended Rights. From AD Connection select the already configured connector to your user directory. By default, the Proxy through server will be unchecked. Enable this check box if the client on which the operator is attempting to perform the life cycle task is not joined to the domain. vsec:cms versasec.com 318(338)

319 This is a global setting for the card template. In the Extended Rights list all available Windows extended rights will be listed. Select the one which will be used, in the example we will use Change Password. It is possible to test the configuration by clicking the Operator button and selecting an available operator from the list and then clicking the Get button and selecting a user that we want to perform the check on. The user will need to have his/her permissions configured on the AD level for this to be successful. See further below for one example of how this can be achieved. Click the Check button to validate that the configuration works as expected. Click the Save button to save the template and close. Click Close to close and get back to the Issue Card main dialog. Make sure that the newly created validation template is selected in the drop down list. Scroll to the bottom of the dialog and click the Ok button to save and close this dialog. From the main card template dialog scroll down to Online PIN unblock section and click the Edit link. Enable the Validate before issuance check box and click the Manage button. vsec:cms versasec.com 319(338)

320 Click the Add button. Enter a template name. In this example, we will create a template that will be used when performing the life cycle task for smart card PIN unblock. In the first drop down list select AD Extended Rights. From AD Connection select the already configured connector to your user directory. By default, the Proxy through server will be unchecked. Enable this check box if the client on which the operator is attempting to perform the life cycle task is not joined to the domain. This is a global setting for the card template. In the Extended Rights list all available Windows extended rights will be listed. Select the one which will be used, in the example we will use Reset Password. It is possible to test the configuration by clicking the Operator button and selecting an available operator from the list and then clicking the Get button and selecting a user that we want to perform the check on. The user will need to have his/her permissions configured on the AD level for this to be successful. See further below for one example of how this can be achieved. Click the Check button to validate that the configuration works as expected. Click the Save button to save the template and close. vsec:cms versasec.com 320(338)

321 Make sure to select the newly created template in the drop down list and click Ok to save and close the dialog. Click Ok to save and close the card template. Step 2 Configure User Permissions For this particular scenario, we will have two operators and one user. We will issue the smart card token to the user with the operator who has permission to perform this life cycle task only and then perform PIN unblock with the other operator who is allowed to perform this life cycle task only. We will use one user for this example. There are other ways that this can be performed using extended rights. This is just an example and should not be seen as the correct and only way to configure Windows extended rights. Extended rights should be configured by an expert in this area. Versasec only provide this as a simple example for demonstration purposes here. Open Active Directory Users and Computers. Make sure that under the file menu View that Advanced Features are selected. Select the user that we are going to perform the simple test on for this example scenario. Right click on the user and select Properties. Select the Security tab and click the Add button. Add the two operator accounts that we are going to use in this example. Below the two operators are Bob A Smith and Sammy Slick. Select Bob A Smith and for Change vsec:cms versasec.com 321(338)

322 password select Allow as he will be allowed to issue a smart card token for this user. For Reset password select Deny as he will not be allowed to perform online PIN unblock. For the operator Sammy Slick perform the opposite to above as in dialog below. vsec:cms versasec.com 322(338)

323 Step 3 Issue and Unblock Smart Card Token Log onto the S-Series application console as operator (Bob A Smith in this example) and from the Lifecycle page attach a smart card token and issue the token with the template created above. The issuance should be successful. Revoke Retire Unregister the smart card token from the Lifecycle page and close the S- Series application console. Log onto the S-Series application console as the other operator (Sammy Slick in this example) and from the Lifecycle page attach a smart card token and issue the token with the template created above. The issuance should fail in this case. Similarly, for the successfully issued token to the user above go to the Actions Smart Card Unblock page and attempt to unblock the smart card token when the operator (Bob A Smith in this example) who is not allowed to perform unblocks is logged into the S-Series application console. The unblock should fail in this case. Then attempt to perform the unblock when the other operator is logged on. This should complete successfully. vsec:cms versasec.com 323(338)

324 Configure USS Dialog Messages It is possible to configure some of the message popup dialogs that the USS application displays when performing card operations with the USS. For example, it may be required to customize a popup message dialog when an end user attaches their smart card token that is blocked. If the end user starts the USS application manually or the USS is running in the system tray, then the USS will automatically popup an unblock dialog with customized information displayed in the dialog. In order to configure this there are 2 places where this needs to be done, i.e. on the server side and on the USS application. Configure on Server Side From file menu select the Program Settings and enable the check box Enable message dialog management. Click the Configure Message Dialog button to configure the messages that can be customized. In this dialog, all available customizable message dialogs will be listed. Self-service change PIN From here it is possible to customize the message content that will pop up in a dialog when a smart card is attached to a client host where the USS application is either manually started or the USS is running in the system tray and the attached smart card PIN requires its PIN to be changed. Select the entry in the list and click Edit. In the Message section the Default radio button will present the default message. Select the User defined radio button and click the Edit message button to customize the message. If you wish to customize the message as HTML enable the HTML check box and enter valid HTML5 into the edit window. Alternatively click the Sample Message button and sample HTML will be populated into the edit window. Click the test button to display what the message will look like when displayed by the USS application. If you wish to enter plain text instead of HTML enter this into the edit dialog and click the test button to display what the message will look like when displayed by the USS application. System variables can be added to either the HTML or plain text to extend the information that can be displayed in the message dialogs. Select a variable from the available drop down list and click the Copy button. Then paste the variable into the edit window. The variable value will then be displayed in the message dialog when shown in the USS application. Self-service change PIN fails From here it is possible to customize the message content that will pop up in a dialog when performing the previous operation and this operation fails for whatever reason. Select the entry in the list and click Edit. In the Message section the Default radio button will present the default message. Select the User defined radio button and click the Edit message button to customize the message. If you wish to customize the message as HTML enable the HTML check box and enter valid HTML5 into the edit window. Alternatively click the Sample Message button and sample HTML will be populated into the edit window. Click the test button to display what the message will look like when displayed by the USS application. If you wish to enter plain text instead of HTML enter this into the edit dialog and click the test button to display what the message will look like when displayed by the USS application. vsec:cms versasec.com 324(338)

325 System variables can be added to either the HTML or plain text to extend the information that can be displayed in the message dialogs. Select a variable from the available drop down list and click the Copy button. Then paste the variable into the edit window. The variable value will then be displayed in the message dialog when shown in the USS application. Enable the Show details check box which will result in the message dialog presenting more detailed technical information that can be useful in troubleshooting scenarios. Enable the Show support ticket check box which will add a unique system generated support ticket variable that can be attached to the message content. If this is enabled, then you can add this variable to the user defined message configured from the Edit Message button. Enable the Enable Notification check box if it is required that an or SMS be sent to a configurable person(s) when the message dialog appears. Click the Configure button to configure the or SMS that can be sent in this case. This may be useful if it is required to notify an administrator if the operation failed with details that can be used for troubleshooting purposes. Self-service PIN unblock From here it is possible to customize the message content that will pop up in a dialog when a smart card is attached to a client host where the USS application is either manually started or the USS is running in the system tray and the attached smart card PIN requires its PIN to be unblocked. Select the entry in the list and click Edit. In the Message section the Default radio button will present the default message. Select the User defined radio button and click the Edit message button to customize the message. If you wish to customize the message as HTML enable the HTML check box and enter valid HTML5 into the edit window. Alternatively click the Sample Message button and sample HTML will be populated into the edit window. Click the test button to display what the message will look like when displayed by the USS application. If you wish to enter plain text instead of HTML enter this into the edit dialog and click the test button to display what the message will look like when displayed by the USS application. System variables can be added to either the HTML or plain text to extend the information that can be displayed in the message dialogs. Select a variable from the available drop down list and click the Copy button. Then paste the variable into the edit window. The variable value will then be displayed in the message dialog when shown in the USS application. Self-service PIN unblock fails From here it is possible to customize the message content that will pop up in a dialog when performing the previous operation and this operation fails for whatever reason. Select the entry in the list and click Edit. In the Message section the Default radio button will present the default message. Select the User defined radio button and click the Edit message button to customize the message. If you wish to customize the message as HTML enable the HTML check box and enter valid HTML5 into the edit window. Alternatively click the Sample Message button and sample HTML will be populated into the edit window. Click the test button to display what the message will look like when displayed by the USS application. If you wish to enter plain text instead of HTML enter this into the edit dialog and click the test button to display what the message will look like when displayed by the USS application. vsec:cms versasec.com 325(338)

326 System variables can be added to either the HTML or plain text to extend the information that can be displayed in the message dialogs. Select a variable from the available drop down list and click the Copy button. Then paste the variable into the edit window. The variable value will then be displayed in the message dialog when shown in the USS application. Enable the Show details check box which will result in the message dialog presenting more detailed technical information that can be useful in troubleshooting scenarios. Enable the Show support ticket check box which will add a unique system generated support ticket variable that can be attached to the message content. If this is enabled, then you can add this variable to the user defined message configured from the Edit Message button. Enable the Enable Notification check box if it is required that an or SMS be sent to a configurable person(s) when the message dialog appears. Click the Configure button to configure the or SMS that can be sent in this case. This may be useful if it is required to notify an administrator if the operation failed with details that can be used for troubleshooting purposes. Self-service update card From here it is possible to customize the message content that will pop up in a dialog when a smart card is attached to a client host where the USS application is either manually started or the USS is running in the system tray and the attached smart card requires to be updated. For example, the certificate on the smart card needs to be updated. Select the entry in the list and click Edit. In the Message section the Default radio button will present the default message. Select the User defined radio button and click the Edit message button to customize the message. If you wish to customize the message as HTML enable the HTML check box and enter valid HTML5 into the edit window. Alternatively click the Sample Message button and sample HTML will be populated into the edit window. Click the test button to display what the message will look like when displayed by the USS application. If you wish to enter plain text instead of HTML enter this into the edit dialog and click the test button to display what the message will look like when displayed by the USS application. System variables can be added to either the HTML or plain text to extend the information that can be displayed in the message dialogs. Select a variable from the available drop down list and click the Copy button. Then paste the variable into the edit window. The variable value will then be displayed in the message dialog when shown in the USS application. Self-service update card fails From here it is possible to customize the message content that will pop up in a dialog when performing the previous operation and this operation fails for whatever reason. Select the entry in the list and click Edit. In the Message section the Default radio button will present the default message. Select the User defined radio button and click the Edit message button to customize the message. If you wish to customize the message as HTML enable the HTML check box and enter valid HTML5 into the edit window. Alternatively click the Sample Message button and sample HTML will be populated into the edit window. Click the test button to display what the message will look like when displayed by the USS application. If you wish to enter plain text instead of HTML enter this into the edit dialog and click the test button to display what the message will look like when displayed by the USS application. vsec:cms versasec.com 326(338)

327 System variables can be added to either the HTML or plain text to extend the information that can be displayed in the message dialogs. Select a variable from the available drop down list and click the Copy button. Then paste the variable into the edit window. The variable value will then be displayed in the message dialog when shown in the USS application. Enable the Show details check box which will result in the message dialog presenting more detailed technical information that can be useful in troubleshooting scenarios. Enable the Show support ticket check box which will add a unique system generated support ticket variable that can be attached to the message content. If this is enabled, then you can add this variable to the user defined message configured from the Edit Message button. Enable the Enable Notification check box if it is required that an or SMS be sent to a configurable person(s) when the message dialog appears. Click the Configure button to configure the or SMS that can be sent in this case. This may be useful if it is required to notify an administrator if the operation failed with details that can be used for troubleshooting purposes. Self-service issuance From here it is possible to customize the message content that will pop up in a dialog when a smart card is attached to a client host where the USS application is either manually started or the USS is running in the system tray and the attached smart card should be issued. Select the entry in the list and click Edit. In the Message section the Default radio button will present the default message. Select the User defined radio button and click the Edit message button to customize the message. If you wish to customize the message as HTML enable the HTML check box and enter valid HTML5 into the edit window. Alternatively click the Sample Message button and sample HTML will be populated into the edit window. Click the test button to display what the message will look like when displayed by the USS application. If you wish to enter plain text instead of HTML enter this into the edit dialog and click the test button to display what the message will look like when displayed by the USS application. System variables can be added to either the HTML or plain text to extend the information that can be displayed in the message dialogs. Select a variable from the available drop down list and click the Copy button. Then paste the variable into the edit window. The variable value will then be displayed in the message dialog when shown in the USS application. Self-service issuance fails From here it is possible to customize the message content that will pop up in a dialog when performing the previous operation and this operation fails for whatever reason. Select the entry in the list and click Edit. In the Message section the Default radio button will present the default message. Select the User defined radio button and click the Edit message button to customize the message. If you wish to customize the message as HTML enable the HTML check box and enter valid HTML5 into the edit window. Alternatively click the Sample Message button and sample HTML will be populated into the edit window. Click the test button to display what the message will look like when displayed by the USS application. If you wish to enter plain text instead of HTML enter this into the edit dialog and click the test button to display what the message will look like when displayed by the USS application. System variables can be added to either the HTML or plain text to extend the information that can be displayed in the message dialogs. Select a variable from the available drop down list and click vsec:cms versasec.com 327(338)

328 the Copy button. Then paste the variable into the edit window. The variable value will then be displayed in the message dialog when shown in the USS application. Enable the Show details check box which will result in the message dialog presenting more detailed technical information that can be useful in troubleshooting scenarios. Enable the Show support ticket check box which will add a unique system generated support ticket variable that can be attached to the message content. If this is enabled, then you can add this variable to the user defined message configured from the Edit Message button. Enable the Enable Notification check box if it is required that an or SMS be sent to a configurable person(s) when the message dialog appears. Click the Configure button to configure the or SMS that can be sent in this case. This may be useful if it is required to notify an administrator if the operation failed with details that can be used for troubleshooting purposes. Configure on USS Side By default, the USS will show notifications by a balloon popup message dialog. In the scenario here we will override this default behavior and replace it with the customized content in the configurable dialogs described in the previous section. It will be necessary to configure this in the USS. On a client where the USS is installed open up a command window and browse to location where the USS is installed. For example, on a 32-bit operating system the default location of the USS installation would be: C:\Program Files\Versasec\vSEC_CMS Self-service And on a 64-bit operating system the default location would be: C:\Program Files (x86)\versasec\vsec_cms Self-service Run the command which will open up USS configuration dialog: vsec_cms_t_uss.exe -configure This will open the USS configuration dialog. From the Settings tab click the Configure button. From this dialog you can enable pop-up which will override the default balloon behavior. Also if you want to ensure that the message dialog is always on top enable the check box to set this. vsec:cms versasec.com 328(338)

329 vsec:cms versasec.com 329(338)

330 Configure Change PIN It is possible to configure notifications that can be sent to the smart card user with instructions informing them to change their PIN. This may be required if it is deemed necessary to force the end user to change their PIN at configurable intervals. Step 1 Configure PIN Policy From Templates PIN Policy click the Add button. Enter a template name and from the card type drop down list select from the available PIN policies. In this example, we will use MD 3810 as the card type. If you wish to set a PIN policy on the card enable the Smart card managed PIN policies that can then be applied to the smart card during the issuance process. In order to configure the notification(s) to change the PIN enable the Server managed PIN policy check box. Enter the number of days after which the user should change their PIN into the Change PIN after field. For example, if a user should change their PIN every 60 days then enter the value 60 into the field. Enable the Manage Force PIN change server-side check box if it is required that when Force PIN change is configured then this check will be performed on the server side. The result of the check will be to display a notification when the smart card is used when the vsec:cms USS is running on the client side. The Force PIN change can, for example, be set when a smart card PIN is initiated by the S-Series during card issuance. Click the Configure button to configure the notifications that can be sent to whoever is deemed required to receive the notifications. Click Add to create a new notification template. Note: Additional notification templates can be created that can be sent if it is required to have different notification messages sent as the period before the PIN should be changed becomes closer to the value set in the Change PIN after field. vsec:cms versasec.com 330(338)

331 From this dialog you configure the period when the notification will be sent. Enter a template name for the title. For the period configuration, in the From field enter the number of days before the PIN should be changed that this notification will be sent. In the To field enter the number of days that this notification will be sent for. Therefore, for this particular example the notification will be sent between the 40 th and 50 th day. Enable the Enable Notification check box and in the Notify every field enter the frequency (in days) that the notification will be sent. In this example a notification will be sent once a day between the 40 th and 50 th day. Click the Configure Notification button to configure the actual notification message that is to be sent. Click Add button to add either an or SMS notification message that will be sent. Enable the Force period check box if it is required to display the dialog on the client side whereby it will not be possible for the client to close the notification dialog until they perform the update on the smart card token. Save the template and close out. Step 2 Add PIN Policy to Card Template It will be necessary to add the template created in step 1 to the card template that will be used to issue the smart card token. From the Issue card section of the card template configuration enable the PIN policy created in step 1. In the Primary Card PIN Options section enable the Apply PIN Policy check box and from the drop down list select the PIN policy created in step 1. Then, depending on the configuration, or SMS notifications will be sent to the person(s) configured in the notification templates. For example, if an notification is to be sent then you would configure this as described here. Click the Add button to create a new notification template. Enter a template name and select the server configured that is to be used from the Outgoing Server drop down list. Click the Edit template button to configure the actual content of the that will be sent to the smart card user. The message content can be either in MHTML or plain text. MHTML files can be created using MS Word for example. If an MHTML file is used for the content it will be necessary to select the Html radio button and click the Import button to select and import the MHTML file into the application. MHTML files can be created using MS Word for example. It is possible to place S-Series variables into the MHTML page which will be used as placeholders to be replaced by actual data that can be retrieved by the application. If plain text is used for the content it will be necessary to select the Text radio button. Enter the address that the will be sent from into the From field. The To field should contain the variable for the user address. In order to place the variable into the field, select the variable from the Variables drop down list and select Copy. A short description will appear below the drop down list providing a brief description of the variable. Right click the field and select paste. A CC and BCC can be provided if required. Enter an appropriate subject into the Subject vsec:cms versasec.com 331(338)

332 field. For the message, enter an appropriate message with variables to be replaced with specific data from the system. If the variable cannot be resolved when exporting the data the variable name will be used instead, for example, if the variable ${UserPin} is used and for some reason the user PIN cannot be retrieved from the application then the value exported will be the variable name, i.e. ${UserPin}. Click Ok to save the template. Important: When adding variable placeholders to either MHTML or plain text the variable needs to be entered correctly i.e. the variables are case sensitive. Note: When constructing the message in plain text, in order to move the cursor to a new line it is necessary to press Ctrl + return. vsec:cms versasec.com 332(338)

333 Configure Windows Group Permissions It is possible to configure the S-Series such that operators and users can be managed using Active Directory (AD) Group membership. For example, in a geographically distributed organization where there are many different office locations and each office location needs to administer their end users smart card tokens. In this setup, it may be required to use AD Group membership, for example, each office has at least one operator that is a member of a Card User Group. Employees at that same office is also a member in the same Card User Group. Employees are traveling between offices and are then given temporary membership to the Card User Group of the office being visited. The operators of that office are then, based on the group membership, able to administrate that users card. Example Windows AD Group Permissions Configuration This section will describe how to configure the S-Series to use Windows AD group permissions. A simple example will be used to better describe how this can be configured and used. Example company XYZ has 2 different office locations, one office in UK and one in Germany. It is required that S-Series operators located in the UK office can only manage smart card users located in the UK office and similarly S-Series operators located in the German office can only manage smart card users located in German office. In AD 2 groups are created, UKOffice and GermanOffice. All S-Series operators located in the UK office will be a member of the UKOffice and all S-Series operators located in the German office will be a member of the GermanOffice. Similarly, all smart card users located in in the UK office will be a member of the UKOffice and all smart card users located in the German office will be a member of the GermanOffice. Step 1 Create Card Template From Templates Card Templates click the Add button. From General click the Edit link and enter a template name and attach the smart card token that you wish to manage with this template and click the Detect button. In the Permissions section enable the Check external permission and click the Manage button. Click the Add button to create a template. Enter a template name and click the Add button. Select the directory that is to be used from the directory connection drop down list and select the AD group(s) that are to be used. vsec:cms versasec.com 333(338)

334 Click the Test button to perform a test. From this dialog, it is possible to perform a simple test. Click the first Get DN button to search for an operator that is a member of the UKOffice group. Then click the second Get DN button to search for an end user who is a member of the UKOffice group and click the Test button to perform permission test. If all is configured corrected a success dialog will appear. Note: If it is required to configure the AD group membership on lifecycle operations then you need to enable the Access rights per individual lifecycle tasks check box in the Permissions section from the General dialog. Step 2 Complete the Card Template Complete the card template configuration as required and then perform an issuance for an operator located in UK Office with a user from the UK Office and this should be performed successfully. vsec:cms versasec.com 334(338)