Follow instructions in this article which will explain the settings that can be configured from this section.
Credential Configuration
From the Credentials page, it is possible to configure the default administration key values, as set by the credential manufacturer, to a configurable value.
If the credential minidriver is not installed on the system that the vSEC:CMS is running on then the credential will not be recognized and consequently it will not be possible to perform operations with the credential.
To add a new credential type, attach the credential you wish to add and click the Add button. Enter a template name and click the Add button.
If the ATR is unknown click the Get button to automatically retrieve the ATR.
Administration Key
In this section, the expected administration key value when the credential is received from the vendor can be set here along with the default administration value that will be set on the credential when it is unregistered by the vSEC:CMS application. The key type can also be configured.
The ATR and some parts of the bytes are unique for a specific credential type, whereas other credentials may differ. Even so, the credential type is still the same.
For example, the Gemalto .NET s can have ATR=3B0000417374726964, or ATR=3B0001417374726964.
From this, a mask can be configured to inform an application using the credential which part of the ATR to compare. In the example given, Mask=FF0000FFFFFFFFFFFF means that the bytes 3B and 417374726964 will have to be identical, while the bytes 0000 can be different.
If you are managing a Gemalto/Safenet eToken it will be necessary to have the Safenet Authentication Client (SAC) installed on the host where you manage the tokens from. Additionally, if you require that the vSEC:CMS should perform the initialization of the token then from the credential dialog enable the Initialize the token at registration check box. This will remove the requirement to initialize these tokens using SAC which would be required if you did not wish for the vSEC:CMS to perform this task.
If you are managing Atos CredentialOS credentials it will be necessary to have them initialized firstly using the CredentialOS API application using a PUC code of 123456.
Secure Messaging
Secure messaging provides end-to-end security for the communication between the credential and off-credential entity, the vSEC:CMS in this case, by adding confidentiality, integrity and authentication to the APDU transactions for the credential. This feature is supported for the PIV credentials supported by the vSEC:CMS.
In order to use this feature, it will be necessary to configure the keys used to establish the secure channel for the secure messaging. Key usage here is implemented based on the global platform specification.
From the Options - Credentials page select the PIV credential and click the SM Key(s) button to configure secure messaging keys.
Depending on the credential type used the vSEC:CMS uses the default factory keys used for establishing secure messaging channel. If these values are not the default value then it will be necessary to change the values here. Please consult with your provider if the keys are not the default values. The keys configured here are based on the global platform specification.
The vSEC:CMS can take ownership of managing the GP. This means that if the checkbox Take ownership when managing the credential is enable then you can select the Static key or Diversified key option. If Static key option is selected then the value entered in the field provided will be set on any credential that is registered and managed by the vSEC:CMS. When the credential is unregistered the vSEC:CMS will set the GP keys back to the default values as set in ROOT, ENC, MAC and DEK. Similarly, if Diversified key option is selected the vSEC:CMS will diversify a new GP key for any credential registered and managed by the vSEC:CMS. Again, in this case when the credential is unregistered the vSEC:CMS will set the GP keys back to the default values as set in ROOT, ENC, MAC and DEK. Contact Versasec for details on what credentials, GP and applets that can be managed in this way.