Follow instructions in this article which will explain the settings that can be configured from this section.
When the vSEC:CMS is created, typically by a smart card vendor distributor, the distributor will issue what is referred to as a System Owner operator token. This operator will be able to perform all CMS operations. It will not be possible to change the roles configured for this operator.
Only an operator with System Administrator role can activate, deactivate, edit or delete another operator.
From this page, it is possible to configure the operators that are allowed to perform operations with the vSEC:CMS. Additionally, it is possible to configure the EA signing certificate that can be used for signing user certificate requests when performed through the USS.
Each operator will be listed in the operator table.
The ID is an internal identifier for the operator in the system.
The Name is the name of who the operator was issued to. The System Owner operator card will always be named as System Owner in the table.
The Roles(s) list all of the role(s) assigned to this operator.
The CSN is the card serial number for the particular operator card.
The #of keys is the number of registered authentication keys on an operator's token which will be used when operator's log onto the vSEC:CMS.
The Registered at is the time and date when the operator card was created on the system.
The Last logon at is the time and date when the operator last logged onto the system.
A number of configuration options are available from here.
Certificate Request Signing
This dialog can also be accessed from file menu File - Service Signing Settings.
Click the Cert request signing button to open a configuration dialog.
From this dialog, the EA certificate that can be used for signing certificate requests from clients using the USS will be configured. Select the CA to be used from the Certification Authorities drop-down list. Summary information about the CA selected will be shown in the window below the selected CA. From the Certificate(s) drop-down list select the EA certificate that will be used. The vSEC:CMSwill present the certificate(s) it finds from the Windows certificate store for the Windows user account that the vSEC:CMS service is running under. The corresponding private key will need to be available. If an HSM is used to store the private key for the EA then the HSM will need to support MS-CAPI/CNG.
It is required that the vSEC:CMS service is configured to run under a specified Windows user account in this type of setup. This will add higher level of security as only the specified Windows user account will have access to the EA certificate.
It is required that the certificate that is selected here is an EA certificate type otherwise the certificate issuance will be rejected by the CA.
Click the Test button to check that the certificate can be used to sign certificate requests. Click the View button to see additional information about the selected certificate.
Enable the Check certificate validity before signing if you want the vSEC:CMS to check the certificates validity. Enable the Stop card issuance before expiry date to set the number of days before the expiry of the EA certificate that will result in the failure for any certificates being issued inside this period. Enable the Warn before stop and enter the number of days before the stop criteria becomes affective which will result in a warning being shown in the system health.
Update Keys
It is possible to update the vSEC:CMS with the authentication key(s) used to authenticate an operator when logging on in as a client. If a new key is added to an operator's card a logged-on operator can add the new authentication key for this operator by selecting the operator from the table and attaching the operator's card to the system.
Add Service Key Store
From the Add service key store dialog the operator service wizard will setup the operator service key store that will be used for USS operations.
Details
Select an operator and click the Details button to retrieve more information about the operator selected.
The Name field is the name of who the operator is assigned to.
The Created field is the time and date that the operator was created on the system.
The CSN is the card serial number for the operator card.
The Reader is the reader name that the operator card is attached to.
The Status is the current status for the operator.
Additional information is provided in the window below the fields already described.
Activate
Select an operator from the table and click the Activate button to activate an operator if it is inactivated.
Inactivate
Select an operator from the table and click the Inactivate button to inactivate an operator if it is required.
Edit
The Edit dialog will allow operators who have the appropriate permissions to add/remove roles for an operator. Select an operator from the table and click the Edit button to adjust the role permissions for the selected operator.