vsec:cms S-Series Introduction Release Notes Release October 16 th, 2018

Similar documents
vsec:cms S-Series Introduction Release Notes Release April 27 th, 2018

S-Series Administration Guide Version 4.8

Install and Issuing your first Full Feature Operator Card

Windows Smart Card Logon Use Case

This version of the IDGo 800 middleware contains the following components: IDGo 800 Credential Provider build 01

YubiKey Smart Card Minidriver User Guide. Installation and Usage YubiKey 4, YubiKey 4 Nano, YubiKey 4C, YubiKey 4C Nano, YubiKey NEO, YubiKey NEO-n

YubiKey Smart Card Minidriver User Guide. Installation and Usage YubiKey 4, YubiKey 4 Nano, YubiKey 4C, YubiKey 4C Nano, YubiKey NEO, YubiKey NEO-n

ENTRUST CONNECTOR Installation and Configuration Guide Version April 21, 2017

Juniper Networks Access Control Release Notes

Indeed Card Management Smart card lifecycle management system

YubiKey Smart Card Deployment Guide

YubiKey Smart Card Deployment Guide

END OF SALE ANNOUNCEMENT

Entrust Connector (econnector) Venafi Trust Protection Platform

IDGo Middleware and SDK for Mobile Devices

Streamline Certificate Request Processes. Certificate Enrollment

CLIQ Web Manager. User Manual. The global leader in door opening solutions V 6.1

Equitrac Integrated for Konica Minolta. Setup Guide Equitrac Corporation

AirWatch Mobile Device Management

Embedded for Xerox EPA-EIP Setup Guide

Equitrac Integrated for Konica Minolta

AXIAD IDS CLOUD SOLUTION. Trusted User PKI, Trusted User Flexible Authentication & Trusted Infrastructure

Fujitsu mpollux DigiSign Client Technical References

Self-Service Password Reset

SafeNet Authentication Client 10.3 (GA)

McAfee File and Removable Media Protection Product Guide

Cisco CTL Client Setup

ANIXIS Password Reset

WatchGuard Cloud Release Notes

Yubico with Centrify for Mac - Deployment Guide

Identity and Authentication PKI Portfolio

Integrated for Konica Minolta Setup Guide

Power LogOn s Features - Check List

Integrated for Océ Setup Guide

SAML-Based SSO Configuration

CertAgent. Certificate Authority Guide

Using the VMware vcenter Orchestrator Client. vrealize Orchestrator 5.5.1

Workspace ONE UEM Integration with RSA PKI. VMware Workspace ONE UEM 1810

Using the VMware vrealize Orchestrator Client

Equitrac Embedded for Ricoh Basic. Setup Guide Equitrac Corporation

Pass4sure CASECURID01.70 Questions

Symantec Mobile Management for Configuration Manager 7.2 MR1 Release Notes

VMware AirWatch Integration with RSA PKI Guide

GlobalSign Enterprise Solutions

Equitrac Integrated for Océ

Install Certificate on the Cisco Secure ACS Appliance for PEAP Clients

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

Microsoft Windows Servers 2012 & 2016 Families

SafeConsole On-Prem Install Guide. version DataLocker Inc. July, SafeConsole. Reference for SafeConsole OnPrem

INFORMATION TECHNOLOGY COMMITTEE ESCB-PKI PROJECT

Sphinx Feature List. Summary. Windows Logon Features. Card-secured logon to Windows. End-user managed Windows logon data

Configure the IM and Presence Service to Integrate with the Microsoft Exchange Server

Microsoft Office Groove Server Groove Manager. Domain Administrator s Guide

Guide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE

Digital Certificate Service (DCS) - User Guide

SafeConsole On-Prem Install Guide

Setting Up the Server

Multi-Sponsor Environment. SAS Clinical Trial Data Transparency User Guide

Guide Installation and User Guide - Mac

Certificate Enrollment- and Signing Services for the Cloud. A behind-the-scenes presentation of a successful cooperation between

SafeConsole On-Prem Install Guide

Integrating AirWatch and VMware Identity Manager

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

This document provides product information for Datacard TruCredential software. Refer to the following documentation to use this product:

VMware Workspace ONE UEM VMware AirWatch Cloud Connector

SafeNet Authentication Client

Cisco CTL Client setup

NGFW Security Management Center

Step-by-step installation guide for monitoring untrusted servers using Operations Manager

Veritas NetBackup Read This First Guide for Secure Communications

VMware AirWatch Cloud Connector Guide ACC Installation and Integration

Preparation of IDBridge K3000

FAQ. General Information: Online Support:

NetIQ SecureLogin 8.5 enhances the product capability and resolves several previous issues.

Equitrac Embedded for Kyocera Mita. Setup Guide Equitrac Corporation Equitrac Corporation

Akana API Platform: Upgrade Guide

Welcome to Centrify DirectControl Agent for Mac, Centrify Endpoint Services

GlobalSign Enterprise Solutions. Enterprise PKI. Administrator Guide. Version 2.6

Sophos Central Device Encryption. Administrator Guide

Citrix Workspace app for ios

GlobalSign Enterprise Solution epki Administrator guide v1.9. GlobalSign Enterprise Solutions

SPNEGO SINGLE SIGN-ON USING SECURE LOGIN SERVER X.509 CLIENT CERTIFICATES

FUSION REGISTRY COMMUNITY EDITION SETUP GUIDE VERSION 9. Setup Guide. This guide explains how to install and configure the Fusion Registry.

SAML-Based SSO Configuration

VSP16. Venafi Security Professional 16 Course 04 April 2016

Dohatec CA. Export/Import Procedure etoken Pro 72K FOR USERS OF ETOKENS [VERSION 1.0]

DEKART Logon for Lotus Notes. Users Guide. Pages 41

Setting Up Resources in VMware Identity Manager

Sophos Mobile. startup guide. Product Version: 8.1

Installing and Configuring vcloud Connector

RSA Authentication Manager 7.1 Help Desk Administrator s Guide

Enabling Smart Card Logon for Mac OS X Using Centrify Suite

Fixed issue with Wifi connection. Login would hang for minutes or unlock screen fails.

TFS WorkstationControl White Paper

MANAGING LOCAL AUTHENTICATION IN WINDOWS

About Symantec Encryption Management Server

SafeNet Authentication Client

Configuring Certificate Authorities and Digital Certificates

Integration Guide. SafeNet Authentication Manager. SAM using RADIUS Protocol with Microsoft DirectAccess

Software Delivery Solution 6.1 SP1 HF2 for Windows Release Notes

Transcription:

vsec:cms S-Series Release Notes Release 5.3.0.0 October 16 th, 2018 Introduction This document provides information about the vsec:cms S-Series product suite release. The information provided in this document is as follows: New features Corrected issues Known issues Supported card types Supported platforms vsec:cms S-Series product suite consists of the following products: vsec:cms S-Series vsec:cms User Self-Service vsec:cms User Self-Service Credential Provider vsec:cms Remote Service Device Management vsec:cms Virtual Smart Card Release Notes versasec.com 1(11)

New Features vsec:cms S-Series A new Operator Console COM API which enables integration with other applications. A new Lifecycle SOAP API further improves server-side integration with vsec:cms. Operator console now checks at logon time if the license ID stored on operator card does match with the license ID stored in database. Support for YubiKey 5 has been added. Gemalto etoken 5110 can now be initialized when you them with vsec:cms. Functionality has been added to manually add built in default smart card configuration templates. Versasec-Activator is now installed to tools folder. The LDAP query to retrieve all groups where a user is a member of has been changed to recursive search to improve speed. Support for Gemalto PIV 2.1 card has been added. Functionality has been added to delete all entries from data export cache. The warning message at product uninstallation has been improved. Oberthur PIV 8.1 smart card configuration template can be added manually. A new parameter has been added to card printing layout: MaxWords. Support for AEP KeyperPlus HSM has been added. Support task has been added to correct database entries when enrollment configuration ID=0. vsec:cms User Self-Service Support for yubikey 5 has been added. Gemalto etoken 5110 can now be initialized when you them with vsec:cms. The self-service console is now checking before issuing new credentials from "My Profile" if the device is an RSDM managed one. Support for Gemalto PIV 2.1 card has been added. vsec:cms User Self-Service Credential Provider Support for yubikey 5 has been added. Gemalto etoken 5110 can now be initialized when you them with vsec:cms. The self-service console is now checking before issuing new credentials from "My Profile" if the device is an RSDM managed one. Support for Gemalto PIV 2.1 card has been added. vsec:cms Remote Service Device Management There are no new features in this version. vsec:cms Virtual Smart Card There are no new features in this version. Release Notes versasec.com 2(11)

Corrected Issues vsec:cms S-Series Problem fixed where it did fail to issue certificates on a none CMS managed smart card under Actions - Certificates. Problem fixed where Operator token info dialog is empty. New functionality has been implemented to assign user ID to the smart card during issuance in self-service console. A character encoding issue in card template card type has been fixed. Problem fixed where finger prints are blocked after enrolling them onto ypsid S3 card when having policy PIN and BIO configured. Problem fixed where User ID and Card Template fields in batch result are empty when performing card registration and issuance with PIV cards. Card templates configured for self-service issuance without user authentication will not be shown under "My Profile - Issue". The self-service console is now checking before issuing new credentials from "My Profile" if the device is an RSDM managed one. Progress bar with information about number of loaded applets has been removed from Options - License pane. Problem fixed where manual batch life cycle task execution stops after first card when having more than one smart card reader attached. The self-service console is now checking before issuing new credentials from "My Profile" if the device is an RSDM managed one. The LDAP query to retrieve all groups where a user is s member of has been changed to recursive search to improve speed. Problem fixed where the system was showing a message about smart card is LOCKED during batch issuance. Problem fixed where wrong public key was stored to system database for user authentication when issuing PIV cards. Problem fixed where characters are incorrectly encoded in CMS variable description field. Problem fixed where certificate reissuance is failing for Oberthur PIV 8.1 cards. Problem fixed where issuance of Oberthur PIV 8.1 card with SPE profile was failing with an error "Failed to generate private key". A Problem has been fixed where the license check was not working correctly at smart card registration. Problem fixed where smart card configuration template for etoken 5110 had diversified default manufacturer key configured. A problem has been fixed in role permission configuration where two permissions have an ID conflict (TaskActionBioEnroll, RsdmViewSoftwareInfo). Problem fixed where key containers did not get deleted when cleaning cards with Open FIPS applet. Problem has been fixed where smart card still had Assigned date property after unregistering them from the system. Problem fixed where smart card registration of Oberthur 8.1 card is failing when operator did logon with authentication only operator card. Text length in Base DN drop down box in LDAP filter dialog is now unlimited. Problem has been fixed where it did fail to initialize the system after installation when a virtual smart card or Windows Hello was configured on the computer. The system initialization GUI has been improved. Problem fixed where smart card registration is failing when an API plugin is installed. Problem fixed where changing admin key on System Owner Cards during vsec:cms initialization process did not work when using JavaCard. Problem fixed where console did not start with an error: "The CMS application cannot start on your PC. The codepage required (1252)". Release Notes versasec.com 3(11)

Problem fixed where it did fail to register ID Prime MD card when vsec:cms operator applet was loaded. Problem has been fixed where it did fail to reissue certificates using OpenFips applet ("The credentials presented to the User smart card are not valid"). Problem fixed where passphrase based PIN unblock in user self-service console fails with an error "Function is not supported". Problem fixed where operator console is crashing when retrieving the user s manager email address from AD and manager DN does contain special char (äöü). Problem fixed where migration to SQL did fail with an error about not migrated tables. Issue fixed where Bio enroll error pop up is shown even though 'Apply Bio Policy' option is not enabled. Issue fixed where ypsid S3 card has no certificate enrolled after successful card issuance. Issue fixed where console did crash if no BIO policy is configured for issuance. Problem fixed where sometimes PIV signing options got reset. Improvements on the Enrollment Configuration page when configuration changes are made. Problem fixed where auto enrollment did fail when configured AD group name does contain unicode characters. Problem fixed where it did fail to retrieve machine UUID from AD for RSDM onboarding permission check. Problem fixed where sometimes the issuance dialog re-appears after issuance has already completed. Problem fixed where users were not found in LDAP when searching from Helpdesk API because UNICODE strings where incorrect converted in CmsServiceDll. Problem fixed where refreshing of enrollment configuration pane did not work correctly. vsec:cms User Self-Service New functionality has been implemented to assign user ID to the smart card during issuance in self-service console. Problem fixed where finger prints are blocked after enrolling them onto ypsid S3 card when having policy PIN and BIO configured. Card templates configured for self-service issuance without user authentication will not be shown under "My Profile - Issue". Problem fixed where manual batch life cycle task execution stops after first card when having more than one smart card reader attached. The self-service console is now checking before issuing new credentials from "My Profile" if the device is an RSDM managed one. Problem fixed where wrong public key was stored to system database for user authentication when issuing PIV cards. Problem fixed where issuance of Oberthur PIV 8.1 card with SPE profile was failing with an error "Failed to generate private key". A Problem has been fixed where the license check was not working correctly at smart card registration. Problem fixed where key containers did not get deleted when cleaning cards with Open FIPS applet. Problem fixed where certificate reissuance is failing for Oberthur PIV 8.1 cards. Problem has been fixed where it did fail to initialize the system after installation when a virtual smart card or Windows Hello was configured on the computer. Problem fixed where console did not start with an error: "The CMS application cannot start on your PC. The codepage required (1252)". Problem fixed where passphrase based PIN unblock in user self-service console fails with an error "Function is not supported". Problem has been fixed where it did fail to reissue certificates using OpenFips applet ("The credentials presented to the User smart card are not valid"). Release Notes versasec.com 4(11)

Issue fixed where Bio enroll error pop up is shown even though 'Apply Bio Policy' option is not enabled. Issue fixed where ypsid S3 card has no certificate enrolled after successful card issuance. Issue fixed where console did crash if no BIO policy is configured for issuance. Problem fixed where sometimes PIV signing options got reset. Problem fixed where sometimes the issuance dialog did not repaint correctly. Problem fixed where issuance fails due to a Fail to encrypt request error. Improved functionality where the USS will only run in a single instance. Problem fixed where sometimes the issuance dialog re-appears after issuance has already completed. Problem fixed where users were not found in LDAP when searching from Helpdesk API because UNICODE strings where incorrect converted in CmsServiceDll. Problem fixed where Issue button in USS console Issuance dialog is still active even though no PIN has been entered. Problem fixed where issuance request sometimes did not show up after user did logon. Problem has been fixed where it was not possible to set new self-service passphrase for operator cards. Problem fixed where it did fail to set user self-service passphrase with a smart card communication error. vsec:cms User Self-Service Credential Provider New functionality has been implemented to assign user ID to the smart card during issuance in self-service console. Problem fixed where finger prints are blocked after enrolling them onto ypsid S3 card when having policy PIN and BIO configured. Card templates configured for self-service issuance without user authentication will not be shown under "My Profile - Issue". Problem fixed where manual batch life cycle task execution stops after first card when having more than one smart card reader attached. The self-service console is now checking before issuing new credentials from "My Profile" if the device is an RSDM managed one. Problem fixed where wrong public key was stored to system database for user authentication when issuing PIV cards. Problem fixed where issuance of Oberthur PIV 8.1 card with SPE profile was failing with an error "Failed to generate private key". A Problem has been fixed where the license check was not working correctly at smart card registration. Problem fixed where key containers did not get deleted when cleaning cards with Open FIPS applet. Problem fixed where certificate reissuance is failing for Oberthur PIV 8.1 cards. Problem has been fixed where it did fail to initialize the system after installation when a virtual smart card or Windows Hello was configured on the computer. Problem fixed where console did not start with an error: "The CMS application cannot start on your PC. The codepage required (1252)". Problem fixed where passphrase based PIN unblock in user self-service console fails with an error "Function is not supported". Problem has been fixed where it did fail to reissue certificates using OpenFips applet ("The credentials presented to the User smart card are not valid"). Issue fixed where Bio enroll error pop up is shown even though 'Apply Bio Policy' option is not enabled. Issue fixed where ypsid S3 card has no certificate enrolled after successful card issuance. Issue fixed where console did crash if no BIO policy is configured for issuance. Problem fixed where sometimes PIV signing options got reset. Release Notes versasec.com 5(11)

Problem fixed where sometimes the issuance dialog did not repaint correctly. Problem fixed where issuance fails due to a Fail to encrypt request error. Improved functionality where the USS will only run in a single instance. Problem fixed where sometimes the issuance dialog re-appears after issuance has already completed. Problem fixed where users were not found in LDAP when searching from Helpdesk API because UNICODE strings where incorrect converted in CmsServiceDll. Problem fixed where Issue button in USS console Issuance dialog is still active even though no PIN has been entered. Problem fixed where issuance request sometimes did not show up after user did logon. Problem has been fixed where it was not possible to set new self-service passphrase for operator cards. Problem fixed where it did fail to set user self-service passphrase with a smart card communication error. vsec:cms Remote Service Device Management Functionality has been added to allow a check if the device is a valid RSDM managed one. Improve on handling for detection if a logged-on user is enabled for credential enrollment when computer is offline. Problem fixed where sometimes the issuance dialog re-appears after issuance has already completed. vsec:cms Virtual Smart Card Issue fixed where Windows signature validation dialog is popping up during silent installation. Issue fixed where communication with TPM 1.2 was failing sometimes after waking up computers. Release Notes versasec.com 6(11)

Known issues vsec:cms S-Series Key recovery from Entrust CA is not supported on PIV and IDPrime MD 840 smart cards. Authorization code issuance using Entrust CA is not supported for smart card issuance with multiple role(s). Key archival/recovery not supported for Symantec CA. Self-service server does not start if more than one SSL server certificate with the server URL is installed in the computer certificate store. Virtual Smart Card issuance with System set PIN in initiate settings fails with an error message: Initialize PIN. One or more of the supplied parameters could not be properly interpreted. Symantec CA is not supported for user self-service. Rendering issue with Arabic names. If console is started using runas image capturing does not work. Disabled self-service delivery templates are not detected by consistency check. If manually issuing a certificate under Card Actions and the card template is configured for MultiRole=OFF and MultiPin=ON then you do not get the dialog where to select CA/cert template and role when clicking the Issue button. This means it is not possible to select what PIN we want to set for the new certificate. The workaround is to go to the issued container and click PIN button to change the PIN. With PUC generated by SYSTEM in template under Initiate, the same card always gets the same 8-digit PUC generated when reissuing the card. Un-registering and reregistering corrects the issue. Smart cards issued with vsec:cms versions prior to 3.1 do not work for Card Expiration features. When initiating a smart card and having pending exports in the cache, the export cache gets overwritten at the next initiate of the same card. Force PIN change on first use is not enforced on Operator card for logon to admin console. Logon using the PIN set during card initialization will work. When generating a new master key, it is only deployed to other operators at logon, not directly if they are online. Only smart card revocation gets written to the transaction log, not the result of each single certificate revocation. Rendering issues when MS IE6 (or earlier) is set on the system (IE upgrade solves the issue). When blocking the user smart card PIN on.net smart cards and then logging into vsec:cms, an invalid PIN verification tries (with counter decrease) is observed. After the counter reaches 0 it is possible to unblock the PIN. If different PINs are set on different key containers, only the certificate using the Primary card PIN can be re-issued manually from the Actions menu. Certificate issue fails when SSO PIN Policy for Primary card PIN is enabled on Gemalto.NET v7.2 cards (v7.1.0.2 and earlier works). It fails to issue the second certificate during smart card issuance when configured to issue more than one certificate. Manual smart card initiate through the lifecycle diagram does not support data export (PIN mailer, email, file export) only online PIN unblock works. Protiva PIV card: Delete Certificate doesn't destroy private key (only deletes the certificate). Certificate reissue during smart card update only works when keys are protected using primary card PIN. PIN policies on Aladdin SafeNet etoken PRO are interpreted by the applications (not on the token). If Gemalto IDPrime.NET cards have PUC configured, it is not possible to configure a PIN policy for the PUC. Only one PUC per smart card is supported for management purposes. Release Notes versasec.com 7(11)

When cards are configured with multiple PINs and set to System set PIN on card initiate, the internal consistency check (which runs during card template save) doesn't test the PIN length against all PIN policies. When AD is accessed through native LDAP protocol, UNICODE characters can't be used. When importing XML with missing referenced files, import still proceeds and reports successful. No support for PUC on Virtual Smart Cards. Self-service passphrase reset and self-service unblock approval is not supported for managed smart cards issued with multiple PINs. Role based cert issuance is not possible using self-service. LDAP connection is not supported for Windows credential based authentication in selfservice. Self-issuance is only supported using MS CA. Install of linked root certificates does not work with self-service. Using self-service only certificate reissue can be performed, not renewal. Change option to load unsigned plugins also has an impact on service, because API plugins are loaded here for update checks. Key archival/recovery only works with one key per container. Self-registration of RFID cards doesn't work without default manufacturer key. Problems requesting certificates when issuing more than one key on an Oberthur ID-One PIV card. Changing the JRE for the Entrust CA connection requires vsec:cms restart. Multiple connections to Entrust CAs is not supported. Gemalto IDPrime MD 840/3840 can only be accessed using minidriver interface (no native card access). Gemalto IDPrime MD 840/3840 multi PIN option is not supported, only the on card PIN configuration can be used. The vsec:cms build-in database can be slow when having too many entries in transaction log table. The time-out values for SOAP-based communication for the application are configurable using predefined Windows registry entries to prevent errors during card actions. The application Operator Console (SOAP) can hit a network time-out if the server is slow in responding. The current built-in time-out is set to 1 minute, which is configurable in registry. On Windows 7 WinHTTP does not support SSL/TLS above 1.0 which impacts using USS and Operator console. It is necessary to have the PKCS11Proxy.dll configuration file and whitelist file for BlackVault HSM. Failure when using ECC keys on PIV cards. Update of altsecurityidentities field in Active Directory is not working using LDAP access. Smart card stock management for PIV cards is not supported. Approval flows on MS CA side are not supported for ypsid S3 smart card. PUK_USER PIN cannot be exported from vsec:cms for ypsid S3 smart cards. QPIN is not supported for ypsid S3 smart cards. Version information for software inventory are not stored in SQL. Manual certificate reissuance (Actions - Certificate/Keys) is not supported for Unicert CA. vsec:cms User Self-Service Credential provider on Windows 7 does not support unblock for cards using PUC. This is due to a limitation of standard credential provider implementation. When having more than 1 card inserted and performing PIN unblock, the popup dialog will not have the reader preselected which contains the credentials chosen within the credential provider screen. Release Notes versasec.com 8(11)

It has been observed that certificate reissuance can sometimes fail with "Invalid signature" error on YubiKey tokens. vsec:cms Remote Service Device Management No known issues with RSDM. vsec:cms Virtual Smart Card No known issues with VSC. Release Notes versasec.com 9(11)

Supported Card Types Gemalto IDPrime.NET 510 Gemalto IDPrime.NET 5500 Gemalto.NET Bio Gemalto IDPrime PIV 2.1 Gemalto IDPrime MD 3810 Gemalto IDPrime MD 830 Gemalto IDPrime MD 840/3840 Gemalto/Safenet etoken 5110 ACS ACOS5-64 ACS CryptoMate64 Avtor CryptoCard337 Athena IDProtect Athena CNS Morpho ypsid S2 Morpho ypsid S3 v1 Identity Card Morpho ypsid S3 v3 Identity Card Oberthur Authentic Oberthur IAS ECC Oberthur ID-One 8.1 PIV card (Applet versions: 2.3.5, 2.4.1) HID C200 HID C1150 Raak Technologies C2 Feitian epass2003 Token Safenet etoken PRO Taglio C2 Taglio PIVKey Mifare DESFIRE EV1 CardOS 4.4/5.3 Yubico Yubikey PIV TCOS TeleSec IDKey Java Card with Cryptovision epki Applet v2.8 Longmai mtoken CryptoID Virtual Smart Cards (Microsoft, Charismatics, vsec:cms) Microsoft Minidriver enabled cards Release Notes versasec.com 10(11)

Supported Platforms Client: MS Windows (32 and 64 bit) 7, 8, 10 Server: MS Windows 2008 R2, 2012 R2, 2016 Release Notes versasec.com 11(11)

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback