versasec.com 1(29)

Install and Issuing your first Full Feature Operator Card

versasec.com 2(29)

Table of Contents Install and Issuing our first Full Feature Operator Card ........................................3

Section 1 - Initial Install and Configure .................................................................3

Step 1.1 – Installing vSEC:CMS ...........................................................................3

Step 1.2 – Initializing vSEC:CMS ..........................................................................5

Step 1.3 – Create Windows Account ....................................................................7

Step 1.4 – Configure Backup Settings ................................................................13

Step 1.5 – Configure Connection to AD ..............................................................14

Step 1.6 – Setup Connection to MS CA ..............................................................15

Section 2 - Configure and Issue First Full-Featured Operator ............................19

Step 2.1 – Configure Full-Featured OT Card Template ......................................19

Step 2.2 – Issue Full-Featured OT ......................................................................26

versasec.com 3(29)

Install and Issuing your first Full Feature Operator Card

Section 1: Initial Install and Configure

Follow the instructions in this section to setup vSEC:CMS on first use.

Note: The PKI used here will be an MS CA. If another CA is to be used please refer to the Zendesk knowledgebase for details on configuring a connection to such a CA.

Note: This use case is not applicable with vSEC:CMS Demo version.

Step 1.1 – Installing vSEC:CMS

1. Start vSEC:CMS installer and click I Agree.

2. Select the Server option and click Next.

versasec.com 4(29)

3. Select the default location for the installation or click Browse to install to a different location. Click Install to begin the installation.

4. When complete click Close.

versasec.com 5(29)

Step 1.2 – Initializing vSEC:CMS

1. Attach the System Owner smart card and start the application from the short cut icon on the desktop

Important: The System Owner smart card will typically be provided by your provider OR you can issue the System Owner smart card using the Activator tool. See the section Activator Tool for details on using this tool.

Important: Minimum version 10.7.185 of the Thales IDPrime smart card minidriver (sometimes referred to as Safenet driver) needs to be installed on the server where vSEC:CMS is installed.

2. Click the Random button to allow vSEC:CMS to auto generate a random value for the administration key for the System Owner smart card or manually enter a value of 48 hexadecimal characters. Click the Copy button and save this key value to a secure location. This key will be required in the future if it is necessary to perform PIN unblock for this System Owner smart card.

versasec.com 6(29)

3. Enter a PIN code passcode for the System Owner smart card and confirm. The PIN code needs to be a minimum of 4 characters.

4. Enter a backup passcode that will be required when performing a restore in the future. Click the Copy button to save this passcode to a secure location for future use when required. This backup passcode will be required in the future if it is required to perform a restore of vSEC:CMS therefore it is critical that this passcode is stored in a secure location.

versasec.com 7(29)

5. The logon dialog will now be shown. Enter the PIN created earlier to authenticate and start the application console.

6. Close the application before moving to the next step.

Step 1.3 – Create Windows Account

By default, vSEC:CMS is configured to run under the Windows SYSTEM account. It will be required to create a dedicated Windows account for vSEC:CMS service. This account should only be used for vSEC:CMS service.

The Windows account does not need to be a specific type; therefore, domain user type is sufficient but you will need to configure specific permissions for this account as described below in the section Configure Windows Permissions.

Important: It is recommended to configure the Windows account password to never expire. If the dedicated Windows account password is not configured to never expire then vSEC:CMS service will fail to start if the Windows password is changed.

versasec.com 8(29)

Configure vSEC:CMS Service

1. Once a dedicated Windows account is created open up Windows service, services.msc, and stop the service vSEC:CMS Service.

2. Right click the service vSEC:CMS Service and select Properties.

3. Go to the Log On tab and select This account radio button. Manually enter the Windows user account name created in Step 1.

versasec.com 9(29)

Important: The Windows account name should be entered in the Windows account format pre-2000. For example, if the Windows account name is cms_service and the domain name is VERSATILESECURI, therefore the account name should be entered as: VERSATILESECURI\cms_service. If the account name is not entered in this format the CMS service may not start automatically after a server restart.

Configure Windows Permissions

It will be required to give full control to the dat folder of vSEC:CMS for the Windows user account. The dat folder will typically be located in the location where vSEC:CMS was installed, typically C:\Program Files (x86)\Versasec\vSEC_CMS if the default location was chosen during installation.

1. Right click the dat folder and select Properties.

versasec.com 10(29)

2. Go to the Security tab and click the Edit button and add the specific Windows user account created. Give the user full control and click Apply.

versasec.com 11(29)

3. Additionally, it will be necessary to configure specific permissions to a registry folder for this Windows account. Open registry editor using regedit and browse to below location:

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Versatile Security\vSEC_CMS_T\Service]

Right click on the Service folder and select Permissions. Click the Add button and add the Windows user created and give them full control. Click Apply and close.

4. Start vSEC:CMS Service from the Windows service. Now the vSEC:CMS Service service will run under the dedicated Windows account.

versasec.com 12(29)

Important: If vSEC:CMS does not start up and shows an error that the database specified does not exist this is typically because the Windows user account cannot access the dat folder and/or cannot write/execute in the dat folder. Make sure that the Windows user account can access and read/write/execute in this folder.

Additionally, check that the registry key below is set to a value of 0:

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Versatile Security\vSEC_CMS_T\Service\autorecover]

Important: If vSEC:CMS is configured to use MS SQL as the database it will be required to add the dedicated Windows user account to the MS SQL database.

Important: If vSEC:CMS is configured to use MS CA it is required that the dedicated Windows account has permissions on the CA to revoke certificates. For example, in the Windows certsrv console right click the CA and select Properties. Then from the Security tab ensure that the dedicated Windows user account is in a Group or user list with minimum permission of Issue and Manage Certificates.

Additionally, if using MS CA and certificate operations, such as issue or revoke, are being performed from the USS, then in this case the USS will perform operations on the CA using the dedicated Windows account. The CMS service will connect to the CA remotely in this case, therefore it is important that the correct Interface Flags, as defined in MS Certificate Services Remote Administration Protocol are set. This flag is configured on the CA server in the registry key:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\{CA Name}\InterfaceFlags].

It is expected that a skilled MS Certificate Services integration engineer would be performing this check and configuration if it is required to be configured. Otherwise if this flag is not configured correctly you may get a warning from the USS application stating “The certificate cannot be revoked automatically as the Certification Authority (CA) is currently unreachable. The revocation request will be cached and will be sent to the CA when the CA is available.”

versasec.com 13(29)

Additional Important Information

1. From the Operator console, when issuing/re-issuing smart cards with certificates from the Lifecycle or Actions – Certificate(s)/keys page, vSEC:CMS uses the current Windows logged on user if the CA connection is configured to Use from domain. Therefore, this user needs to have Enroll permissions on the CA certificate template. Otherwise vSEC:CMS will use the credentials that have been configured from the CA connection when opening the Select CA dialog from the CA connector.

2. From the Operator console when a smart card is being revoked vSEC:CMS uses the current Windows logged on user if the CA connection is configured to Use from domain. Therefore, this user needs to have Issue and Manage Certificates permissions on the CA, which are configurable from the certsrv console on the CA. Otherwise vSEC:CMS will use the credentials that have been configured from the CA connection when opening the Select CA dialog from the CA connector.

Step 1.4 - Configure Backup Settings

1. Log on again to the application console with the System Owner token. You will be presented with a warning that the automatic backup of the database is not configured. Click Ok.

2. From Options - Settings page ensure that the Automatic backup enabled check box is enabled. Click the Schedule button. Click the Perform backup now button to ensure that the backup can be written to the location specified above in the Backup folder.

versasec.com 14(29)

Step 1.5 - Setup Connection to AD

1. From Options - Connections click the Add button. Select Active Directory and click Ok.

2. Enter a template name and it is recommended to select Use current user credentials to use the current logged on Windows credential. Alternatively, uncheck the Use current user credentials and manually enter the AD server name and the Windows credential to connect with. Click the Test button and search for a user in your AD to ensure connectivity. Click Save to save and close.

versasec.com 15(29)

Step 1.6 - Setup Connection to MS CA

1. From Options - Connections click the Add button. Select Certificate Authorities and click Ok.

2. Enter a template name and select the Windows CA (Microsoft Enterprise Certification Authority) from the drop-down list.

versasec.com 16(29)

3. Click the Select CA button which will launch a dialog from where it is possible to specify the DC from where the CA configuration information should be read. As vSEC:CMS would normally be on a server connected to the DC then select the Use from domain radio button and click the Ok button. If vSEC:CMS is not on the domain select the Use specific server radio button and enter the server details for the DC and the Windows account to connect with. The Windows account should be the Windows Account Name.

Important: If Use from domain is selected then the logged-on Windows account will be used to connect to the CA. Therefore, the Windows account will need to have the appropriate permissions on the CA to connect to it.

Important: If the CA connection is used in conjunction with vSEC:CMS User Self-Service (USS) then the Windows account used to connect to the CA when performing certificate operations in the USS will be the dedicated Windows account that the CMS is configured to run under. Therefore, the dedicated Windows account will need to have the appropriate permissions on the CA to connect to it.

versasec.com 17(29)

4. The enterprise CA server details should now be populated in the drop-down lists. Select the appropriate server for your configuration.

5. Click the Templates button to view all the available CA templates. Enable the Show all checkbox and click the Update button to view all available templates.

versasec.com 18(29)

6. As this is the first setup of the connection to the CA an Enrollment Agent (EA) certificate will be required. An EA certificate will need to be available for any operator who will be issuing certificates on behalf of other users. Since this is the first setup it will be necessary to request an EA. In the Enrollment Agent section enable Sign server side. This will automatically grey out Proxy through server setting as we want all Operator console certificate issuances to be proxied through server. Click the Request button to start the issuance. If more than one EA certificate templates are configured on the CA a dialog will be presented from which the EA certificate template that is to be used should be selected. An EA certificate will then be issued to the local certificate store for the Windows account that the vSEC:CMS is running under.

Important: The EA certificate will be issued to the Windows account that vSEC:CMS service is running under. The certificate template configured directly on the CA will need to have disabled the checkbox This number of authorized signatures from the Issuance Requirements tab on the CA template.

3. Click the Save button to complete the setup.

versasec.com 19(29)

Section 2: Configure and Issue First Full-Featured Operator

Before beginning this section, it is necessary that you have successfully completed the first section of this document.

Follow the instructions in this section to configure and issue the first Full-Featured Operator Token (Full-Featured OT) in vSEC:CMS. It is important to have at least one Full-Featured OT in your installation which has a role of System Administrator, more of which will be described in this section.

A Full-Featured OT is a smart card token that has been issued with a vSEC:CMS Operator Applet.

Important: If the smart card token(s) that are to be issued as Full-Featured OT don’t have a vSEC:CMS Operator Applet issued on them then follow the instructions in the section Activator Tool for details on how to issue them. Please consult with your provider to check if they have already issued your Full-Featured OT with a vSEC:CMS Operator Applet already issued.

Important: The Full-Featured OT in this case needs to be a Gemalto IDPrime MD 830 or Gemalto .NET smart card. For the Gemalto ID Prime MD 830 token it needs to be a specific type of this token. Your provider should be able to provide this to you. Additionally, the token should be in default factory state.

Step 2.1 - Configure Full-Featured OT Card Template

1. Navigate to Options - Smart Cards page. When the page is loaded attach the Gemalto IDPrime .NET smart card token that you will use as Full-Featured OT with vSEC:CMS. VSEC:CMS will filter the card type and present Gemalto .NET card.

versasec.com 20(29)

2. Select the entry and click Edit. For Smart Card Access ensure that Use native access if possible is selected and click Save.

3. From Templates - Card Templates click the Add button.

versasec.com 21(29)

4. Click the Edit link for General.

5. Enter a template name and attach the Full-Featured OT to your host and click the detect button. A dialog will be displayed and if the Full-Featured OT is a valid token you will see information displayed as: "applicable to .NET card with v7.1.0.2 minidriver applet, vSEC:CMS Operator". Click Ok to close the dialog.

versasec.com 22(29)

6. Enable vSEC:CMS Operator Card checkbox and from the drop-down list select the Full Featured Operator Card option.

versasec.com 23(29)

7. Click the Roles button. From this dialog, it is possible to configure how the operator can select the role(s) that will be applied to the issued operator smart card during the issuance. If the issuing operator is to be allowed to manually select the role that is to be applied during issuance then select the option Select Operator Role manually during issuance. If it is required to automatically set the role during the issuance then select the option Automatically set selected role(s) during issuance and select the available roles from the list available that are to be set. In this section, we will select Select Operator Role manually during issuance as we want to select specific role(s) for this first Full-Featured OT.

8. Click Ok to save the settings.

versasec.com 24(29)

9. Click the Edit link for Issue Card.

versasec.com 25(29)

10. For Assign user ID select the AD connection that should have been configured already in this section about installing and configuring vSEC:CMS on first use.

versasec.com 26(29)

11. Click Ok to save and close the dialog which should close the card template configuration.

Step 2.2 - Issue Full-Featured OT

1. From the Lifecycle page attach the Full-Featured OT that is to be issued and click the Issued oval. Select the card template from the Select card template drop-down list and click the Execute button.

versasec.com 27(29)

2. Enter the System Owner token PIN (Passcode) code when prompted.

3. Select a user from AD that the Full-Featured OT is to be issued to.

4. Select the role(s) that this Full-Featured OT will have. As this is the first Full-Featured OT that is to be issued you should select all roles for this particular operator.

versasec.com 28(29)

5. When the issuance completes a message dialog indicating that an authentication key has been added to vSEC:CMS will appear followed by a short summary dialog with details on what operations have been performed.

The Full-Featured OT is now in an Issued state as can be seen from the process diagram. By default, the smart card PIN will be blocked so it will be necessary to unblock the smart card. Typically, the person who will use this smart card (the operator in this use case) will set the PIN code on the smart card.

6. Click the Active oval and click the Execute button.

7. Enter the System Owner token PIN (Passcode) code when prompted.

versasec.com 29(29)

8. Enter the PIN code that will be set on the Full-Featured OT. Click Initiate to set the PIN code on the smart card and make it active.

9. A summary dialog will appear. Click Ok to close.

The smart card will now be in an active state and can be used by the operator to log onto vSEC:CMS.

It is recommended at this time to close the application and store the System Owner smart card in a safe, only to be used in emergency circumstances. The issued Full-Featured OT can now be provided to the operator who can use it to log on and start configuring and issuing smart card tokens as required.

This completes the use case.