Follow instructions in this article which will explain the settings that can be configured from this section.
LDAP Server
From Options - Connections click the Configure button and ensure that LDAP Server is added to the Selected window.
Then from Options - Connections click LDAP Server to add template.
Enter a template name and enter the hostname for the LDAP along with the port, protocol and enable SSL/TLS if a secure connection is required. Click the Test Connection button to ensure that the system that the vSEC:CMS is running on is reachable. If simple authentication parameters are required enable this option and provide the necessary username and password to connect to the LDAP. Click Save button when complete.
Active Directory
From Options - Connections click the Configure button and ensure that Active Directory is added to the Selected window.
Then from Options - Connections click Active Directory to add template.
Enter a template name and enable the Use current user credentials if the vSEC:CMS is connected to a host that is logged onto a domain. If more than one DC is available, then select one from the drop-down list in the Server field.
If the vSEC:CMS is not connected to a DC then it is possible to enter a domain server address along with a username and password. Click the Test button to ensure that the domain is reachable. An AD search dialog should be displayed if the domain is reachable from where a user can be searched for to test the connectivity. Click the Save button to complete the setup.
Certificate Authorities
The vSEC:CMS can be configured to connect to a number of different CA's each of which is described below in this section.
Microsoft Enterprise Certificate Authority
The vSEC:CMS can be configured to connect to a CA that is:
- Available on a domain or
- That is located in a different domain from where the vSEC:CMSis installed or
- The CA is installed on a standalone server.
To add a CA connection from Options - Connections click the Configure button and make sure that Certificate Authorities is added to the Selected window.
From Options - Connections click Certificate Authorities and click Add to open the dialog where the CA specific connection details are configured.
Enter a template name and select the Windows CA (Microsoft Enterprise Certification Authority) from the drop-down list.
Click the Select CA button which will launch a dialog from where it is possible to specify the DC from where the CA configuration information should be read. If the vSEC:CMS is on a server connected to the domain then select the Use from domain radio button and click the Ok button. If the CA is located in a different domain from where the vSEC:CMSis installed or the CA is installed on a standalone server then select the Use specific server radio button and enter the server details for the DC and the Windows account to connect with. The Windows account should be the Windows sAMAccountName if on a domain.
The enterprise CA server details should now be populated in the drop-down lists. Select the appropriate server for your configuration.
There needs to be at least one certificate template available on the CA.
Click the Templates button to view all the available CA templates. Enable the Show all checkbox and click the Update button to view all available templates.
Click the Get button to get the certificate issuer DN which will be used if the PKCS#12 import functionality is used. This will be required to determine if the imported PKCS#12 certificates can be managed by the vSEC:CMS.
In the Enrollment Agent (EA) section, the EA certificate available to the system will be shown. If there is an EA certificate available on the currently logged on operator's token then the vSEC:CMS will automatically show this as selected in the drop-down list and you will see a message Stored on: Operator token below the drop-down list. Additionally, it is possible to issue an EA certificate to the System Owner operator token. This will normally be configured when setting up the system on first use. Simply request one by clicking the Request button. If more than one EA certificate is configured on the CA a dialog will be presented from which the enrollment agent certificate should be selected. The message Stored on: Operator token will be shown indicating that the EA certificate is stored on the operator token.
Enable the Disable retrieving renewed certificates before revocation if it is required to disable the vSEC:CMSfrom checking on the CA for already renewed certificates that may have been renewed outside of the vSEC:CMS.
From version 5.4.1.0 it is possible to configure the communication from clients where the Operator console is run from to proxy all the CA communication through the vSEC:CMS service. Enable Proxy through server if this is required in your environment. Otherwise the clients will need to be able to connect to the CA directly from the clients.
Click the Save button to complete the setup.
Entrust CA
If the Entrust CA is used it will not be possible to use the Self-Service capabilities of the vSEC:CMSto manage the certificate(s) on the smart card. Also, it will only be possible to configure one Entrust CA connection per vSEC:CMS setup.
To add a CA connection from Options - Connections click the Configure button and make sure that Certificate Authorities is added to the Selected window.
From Options - Connections click Certificate Authorities and click Add to open the dialog where the CA specific connection details are configured.
Enter a template name and select Entrust (Entrust Certificate Authority) from the drop-down list. Click the Configure button for Java.
Select the version of installed Java Runtime Environment (JRE) which needs to be available on the server where the vSEC:CMSis running. Also enter any standard JVM parameters that may need to be set depending on your environment and recommendations from Entrust. Click Ok to close.
It is required that a 32-bit version of JRE is installed on the server as the vSEC:CMSis a 32-bit application.
Click the Configure button for Client Toolkit configuration options.
Enter the server address and port that the Entrust CA is running on. Click the Test button to ensure connectivity to the CA. Select Do not login if it is not required to use profile based credentials to authenticate to the CA otherwise select Use profile based credentials if a profile file is to be used. Browse to the location where the client toolkit epf file that will be used is stored and enter the epf passcode. Click the Test button to ensure that the profile credential selected is valid. If a certificate stored on the operator smart card is to be used select the Use certificate based credentials radio button. Select the certificate from the drop-down list. The message Stored on: Operator Token should be displayed below the drop-down list. Click the Test button to ensure that the profile credential selected is valid.
The certificate credential used on the operator card will need to be present on the card when using this option. The vSEC:CMSdoes not provide a mechanism to import such certificates onto the operator card.
Click OK to save and close the Client Toolkit configuration dialog.
Click the Configure button for Admin Toolkit.
Enter the server address and port that the Entrust CA is running on. Click the Test button to ensure connectivity to the CA. Select Do not login if it is not required to use profile based credentials to authenticate to the CA otherwise select Use profile based credentials if a profile file is to be used. Browse to the location where the client toolkit epf file that will be used is stored and enter the epf passcode. Click the Test button to ensure that the profile credential selected is valid. If a certificate stored on the operator smart card is to be used select the Use certificate based credentials radio button. Select the certificate from the drop-down list. The message Stored on: Operator Token should be displayed below the drop-down list. Click the Test button to ensure that the profile credential selected is valid.
The certificate credential used on the operator card will need to be present on the card when using this option. The vSEC:CMSdoes not provide a mechanism to import such certificates onto the operator card.
Click OK to save and close the Admin Toolkit configuration dialog.
Enable the Add user to CA check box and click the Configure button to open the dialog if the user that the smart card is to be issued to is to be added to the Entrust CA.
The user will need to exist already in the user directory (typically Active Directory).
From the User type drop-down list select the user type that the user will be added to. The available types are read from the types that are configured on the Entrust CA.
From Certificate type select the type that will be set for the user. The available certificate types are read from the types that are configured on the Entrust CA.
Select which group that the user will be assigned to. The available groups are read from the groups that are configured on the Entrust CA.
Enable the Import from PKCS12 files if it will be required to import PKCS12 file(s) during the issuance process. Click the Configure button to configure specific settings for the PKCS12 file(s) that are to be imported. Click the Get button for the Certificate Authority Issuer DN to determine the DN of the issuing CA. A PKCS12 file that is to be imported can be selected to allow the vSEC:CMS to determine the issuing DN from the PKCS12 file. Click the Get button for Default folder to browse for PKCS12 files to set the default location where the vSEC:CMS will select the PKCS12 files from. Enter a default passphrase if the PKCS12 files that are to be imported are configured to be automatically selected from a certificate database certificate list file which has the same passphrase for each PKCS12 file in the database. Click Ok to save and close.
Click the Templates button and click the Update button to retrieve all available certificate templates that are available. See Entrust Certificate Templates section below for further details on this. Click OK to close.
Select the Use key archival at CA if it is required to use the Entrust key archival feature.
Entrust Certificate Templates
The Entrust certificate templates that are available from the vSEC:CMSare defined in the cfg file CaPluginEntrustCA.cfg. This file is located in the plugins folder where the vSEC:CMSwas installed. This file will define the certificate templates that are available on the Entrust CA. In this file, there is a section <cfg> where the templates are defined. For example, in the example cfg file below there are two templates defined. These are Verification and Encryption. The certificate template name needs to correspond to the actual template name as configured on the Entrust CA. The name is case sensitive. The <minKeyLen> define the minimum key length as configured on the CA for the particular template. The<keySpec> defines the key type where 1 is for KEYEXCHANGE and 2 is for SIGNATURE. The <count> parameter, which is a hexadecimal counter, defines how many certificate templates are defined in the cfg, 2 in the example below. If a new certificate template is created on the Entrust CA that needs to be available to the vSEC:CMSthen it would be necessary to add the template details to the cfg file.
<cfg>
<templates>
<count>00000002</count>
<1>
<name>Verification</name>
<minKeyLen>1024</minKeyLen>
<keySpec>2</keySpec>
</1>
<2>
<name>Encryption</name>
<minKeyLen>1024</minKeyLen>
<keySpec>1</keySpec>
</2>
</templates>
</cfg>
GlobalSign CA
The vSEC:CMS can be configured to connect to a GlobalSign Enterprise PKI (EPKI). The EPKI is a cloud-based managed PKI service to issue and manage GlobalSign Client Certificates.
Important: If EPKI is used it will not be possible to use the Self-Service capabilities of the vSEC:CMSto manage the certificate(s) on the smart card.
To add a CA connection from Options - Connections click the Configure button and make sure that Certificate Authorities is added to the Selected window.
From Options - Connections click Certificate Authorities and click Add to open the dialog where the CA specific connection details are configured.
Enter a template name and from the drop-down list of available CA's select GlobalSign (GlobalSign CA). Enter the URL of your GlobalSign CA and click the Test button to ensure connectivity to the GlobalSign CA. A success dialog should appear if the connection is successfully established. Enter the username and password that will be used to authenticate to the GlobalSign CA in the User Name and Password fields and click the Test button to ensure the credentials are correct. A success dialog should appear if the credentials provided are valid. Click the Request fields button to configure the attributes that can be sent in the certificate request. Click the Templates button to view and update the list of available templates from the CA.
When the Templates dialog is opened the name of the templates may not be presented in a user-friendly format. Please request details from Versasec on how to transform the template names into user friendly format.
Configure Request Fields
On clicking the Request fields button a configuration dialog will appear. By default, the Common Name (CN) request field is shown. This field is mandatory for the GlobalSign CA. It will be necessary to assign a variable placeholder for this field that are assigned to an attribute value in your directory.
By default, the Value field will be populated with a placeholder variable ${CommonName}. This placeholder will need to be assigned to a directory attribute value from your directory, for example in AD this would typically be the attribute 'cn'. If it is required to change this click the ${CommonName} in the Value field which will open a dialog from where it is possible to change this value.
Additional fields can be added by clicking the Fields button.
For further details and assistance with configuring specific settings for your GlobalSign CA please contact Versasec for support.
Symantec CA
The vSEC:CMS can be configured to connect to a Symantec MPKI for issuing users with certificates.
If the Symantec MPKI is used it will not be possible to use the Self-Service capabilities of the vSEC:CMSto manage the certificate(s) on the smart card.
To add a CA connection from Options - Connections click the Configure button and make sure that Certificate Authorities is added to the Selected window.
From Options - Connections click Certificate Authorities and click Add to open the dialog where the CA specific connection details are configured.
Enter a template name and from the drop-down list of available CA's select Symantec (Symantec MPKI). Enter the URL of your Symantec MPKI and select the client certificate needed to authenticate to the CA. It is possible to import a PKCS#12/PFX client certificate if required for the client certificate by clicking the Import button. Click the Test button to ensure connectivity to the CA. A success dialog should appear if the configuration parameters are correct. Click the Get instances button to retrieve the CA instances available and select the required instance from the drop-down list. Click the Templates button to view and update the list of available templates from the CA. Click the Request fields button to configure the attributes that can be sent in the certificate request.
When the Templates dialog is opened the name of the templates may not be presented in a user-friendly format. Please request details from Versasec on how to transform the template names into user friendly format.
Configure Request Fields
On clicking the Request fields button a configuration dialog will be shown. By default, three request fields are present. These fields are mandatory for the CA. It will be necessary to assign a variable placeholder for these fields that are assigned to an attribute value in your directory.
Click in the Value (empty by default) field which will open a dialog.
If this is the first time configuring this then three vSEC:CMS variables are available. These variables are assigned to attributes in the AD. If it is required to add additional variables and assign them to directory attributes click the Add variable button. Select the variable that will be used from the available list and click Ok.
Additional fields can be added by clicking the Fields button.
If the Name value should be a static value hold down the Ctrl key and click in the Value field. For example, if we wanted to configure a Name called Country to have a static value of USA then by holding down the Ctrl key and clicking the Value field it is possible to enter the static value.
The Name fields can be either in bold or normal. If the Name field is in bold it means that a corresponding variable needs to be set in the Value field as this will be mandatory value for the vSEC:CMS in this case. If a value is not available and the Name field is set as mandatory (marked in bold) then the certificate issuance will fail for the user.
Symantec7 CA
The vSEC:CMS can be configured to connect to a Symantec7 on-premises CA for issuing users with certificates.
To add a CA connection from Options – Connections click the Configure button and make sure that Certificate Authorities is added to the Selected window.
From Options – Connections click Certificate Authorities and click Add to open the dialog where the CA specific connection details are configured.
Enter a template name and from the drop-down list of available CA’s select Symantec7 (Symantec7 CA). Enter the URL of your Symantec CA and select the client certificate needed to authenticate to the CA. It is possible to import a PKCS#12/PFX client certificate if required for the client certificate by clicking the Import button. Click the Test button to ensure connectivity to the CA. A success dialog should appear if the configuration parameters are correct. Click the Get instances button to retrieve the CA instances available and select the required instance from the drop-down list. Click the Templates button to view and update the list of available templates from the CA.
Enable Proxy through server if it is required that all clients where the Operator console is run from should proxy all CA communication through the vSEC:CMS service. Otherwise the clients will need to be able to connect to the CA directly from the clients and they will need to have the HTTPS client certificate installed on the local client where they connect from. In this case it will be necessary to have the client HTTPS certificate installed on the current user certificate store.
Click the Request fields button to configure the attributes that can be sent in the certificate request.
When the Templates dialog is opened the name of the templates may not be presented in a user-friendly format. Please request details from Versasec on how to transform the template names into user friendly format.
Configure Request Fields
On clicking the Request fields button a configuration dialog will be shown. By default, three request fields are present. These fields are mandatory for the CA. It will be necessary to assign a variable placeholder for these fields that are assigned to an attribute value in your directory.
Click in the Value (empty by default) field which will open a dialog.
If this is the first time configuring this then three S-Series variables are available. These variables are assigned to attributes in the AD. If it is required to add additional variables and assign them to directory attributes click the Add variable button. Select the variable that will be used from the available list and click Ok.
Additional fields can be added by clicking the Fields button.
If the Name value should be a static value hold down the Ctrl key and click in the Value field. For example, if we wanted to configure a Name called Country to have a static value of USA then by holding down the Ctrl key and clicking the Value field it is possible to enter the static value.
The Name fields can be either in bold or normal. If the Name field is in bold it means that a corresponding variable needs to be set in the Value field as this will be mandatory value for the S-Series in this case. If a value is not available and the Name field is set as mandatory (marked in bold) then the certificate issuance will fail for the user.
neXus CA
The vSEC:CMS can be configured to connect to a neXus CA for issuing users with certificates.
Important: If the neXus CA is used it will not be possible to use the Self-Service capabilities of the vSEC:CMSto manage the certificate(s) on the smart card.
To add a CA connection from Options - Connections click the Configure button and make sure that Certificate Authorities is added to the Selected window.
From Options - Connections click Certificate Authorities and click Add to open the dialog where the CA specific connection details are configured.
Enter a template name and select neXus (Nexus Certificate Authority) from the drop-down list. Click the Configure button for Java.
Select the version of installed Java Runtime Environment (JRE) which needs to be available on the server where the vSEC:CMSis running. Also enter any standard JVM parameters that may need to be set depending on your environment and recommendations from neXus. Click Ok to close.
It is required that a 32 bit version of JRE is installed on the server as the vSEC:CMSis a 32 bit application.
Click the Configure button for Connection Settings.
Enter the server details and port number that the server is listening on. Click the Test button to test connectivity to the CA. Select the Use profile based credentials and browse to the location where a PFX exists for the user credential that will be used to authenticate to the CA. Enter the passcode for this PFX in the Profile passcode field and click the Test button to ensure that the credential used is valid.
Alternatively, select the Use certificate based credentials radio button if the credential to authenticate the operator to the CA is stored on a smart card token. Select the certificate stored on the token from the drop-down list and click the Test button to ensure that the credential used is valid.
It is required that the Gemalto IDGo 800 PKCS#11 libraries are installed on the host if using the certificate based credential option.
Click Ok to save and close the dialog.
Click the Get instances button to retrieve the CA instances available and select the required instance from the drop-down list. Click the Templates button to view and update the list of available templates from the CA. Click the Request fields button to configure the attributes that can be sent in the certificate request.
Configure Request Fields
On clicking the Request fields button a configuration dialog will be shown. By default, three request fields are present. These fields are mandatory for the CA. It will be necessary to assign a variable placeholder for these fields that are assigned to an attribute value in your directory.
Click in the Value (empty by default) field which will open a dialog.
If this is the first time configuring this then three vSEC:CMS variables are available. These variables are assigned to attributes in the AD. If it is required to add additional variables and assign them to directory attributes click the Add variable button. Select the variable that will be used from the available list and click Ok.
Additional fields can be added by clicking the Fields button.
If the Name value should be a static value hold down the Ctrl key and click in the Value field. For example, if we wanted to configure a Name called Country to have a static value of USA then by holding down the Ctrl key and clicking the Value field it is possible to enter the static value.
The Name fields can be either in bold or normal. If the Name field is in bold it means that a corresponding variable needs to be set in the Value field as this will be mandatory value for the vSEC:CMS in this case. If a value is not available and the Name field is set as mandatory (marked in bold) then the certificate issuance will fail for the user.
UniCERT CA
The vSEC:CMS can be configured to connect to a UniCERT CA for issuing users with certificates.
vSEC:CMS uses UniCERT Programmatic Interface (UPI) to interface to the CA. It is therefore expected that the UPI interface is installed and configured on the CA before integrating with the vSEC:CMS
To add a CA connection from Options - Connections click the Configure button and make sure that Certificate Authorities is added to the Selected window.
From Options - Connections click Certificate Authorities and click Add to open the dialog where the CA specific connection details are configured.
Enter a template name and select UniCERT (UniCERT Certificate Authority) from the drop-down list. Click the Configure button for Java.
Select the version of installed Java Runtime Environment (JRE) which needs to be available on the server where the vSEC:CMSis running. Also enter any standard JVM parameters that may need to be set depending on your environment and recommendations from UniCERT. Click Ok to close.
It is required that a 32-bit version of JRE is installed on the server as the vSEC:CMSis a 32-bit application.
Under Configuration Options select either Local or Server. If Local is selected then the vSEC:CMSconsole will expect to have a locally installed PFX that will be used to authenticate the RA to the CA when performing CA operations. If Server is selected then the vSEC:CMS will need to be configured to use HSM where the RA credential is protected. This can be done by clicking the Credentials button in this case.
Click the Configure button for Connection Settings and enter the server details and port number that the server is listening on along with the UPI alias. If HTTPS is to be used for the connection, enable the Use HTTPS checkbox and select the certificate that is to be used for this from the drop-down list. Click the Test button to test connectivity to the CA. Enter the registration authority ID into the RA-ID field. Select the Use profile based credentials and browse to the location where a PFX exists for the user credential that will be used to authenticate to the CA. Enter the passcode for this PFX in the Profile passcode field and click the Test button to ensure that the credential used is valid.
Use certificate based credentials is currently not supported for this CA therefore it will be disabled here.
Click Ok to save and close the dialog.
Click the Get instances button to retrieve the CA instances available and select the required instance from the drop-down list. Click the Templates button to view and update the list of available templates from the CA. Click the Request fields button to configure the attributes that can be sent in the certificate request.
Configure Request Fields
On clicking the Request fields button a configuration dialog will be shown. By default, three request fields are present. These fields are mandatory for the CA. It will be necessary to assign a variable placeholder for these fields that are assigned to an attribute value in your directory.
Click in the Value (empty by default) field which will open a dialog.
If this is the first time configuring this then three vSEC:CMS variables are available. These variables are assigned to attributes in the AD. If it is required to add additional variables and assign them to directory attributes click the Add variable button. Select the variable that will be used from the available list and click Ok.
Additional fields can be added by clicking the Fields button.
If the Name value should be a static value hold down the Ctrl key and click in the Value field. For example, if we wanted to configure a Name called Country to have a static value of USA then by holding down the Ctrl key and clicking the Value field it is possible to enter the static value.
The Name fields can be either in bold or normal. If the Name field is in bold it means that a corresponding variable needs to be set in the Value field as this will be mandatory value for the vSEC:CMS in this case. If a value is not available and the Name field is set as mandatory (marked in bold) then the certificate issuance will fail for the user.
IDnomic CA
The vSEC:CMS can be configured to connect to a IDnomic CA (formerly known as OpenTrust) for issuing users with certificates.
To add a CA connection from Options - Connections click the Configure button and make sure thatCertificate Authorities is added to the Selected window.
From Options - Connections click Certificate Authorities and click Add to open the dialog where the CA specific connection details are configured.
Enter a template name and select Opentrust (OpenTrust) from the drop-down list.
Enter the IDnomic server URL that you will connect to in the OpenTrust Server URL field and click Test button to ensure connectivity to the server. A success dialog will appear if the URL is valid.
Select the certificate that will be used to authenticate to the IDnomic CA from the HTTPS Client Certificate field. It is recommended that the certificate used to authenticate is stored on the operator smart card.
Click the Get instances button to retrieve the CA instances available and select the required instance from the drop-down list. Click the Templates button to view and update the list of available templates from the CA. Click the Request fields button to configure the attributes that can be sent in the certificate request.
Configure Request Fields
On clicking the Request fields button a configuration dialog will be shown. By default, three request fields are present. These fields are mandatory for the CA. It will be necessary to assign a variable placeholder for these fields that are assigned to an attribute value in your directory.
Click in the Value (empty by default) field which will open a dialog.
If this is the first time configuring this then three vSEC:CMS variables are available. These variables are assigned to attributes in the AD. If it is required to add additional variables and assign them to directory attributes click the Add variable button. Select the variable that will be used from the available list and click Ok.
Additional fields can be added by clicking the Fields button.
If the Name value should be a static value hold down the Ctrl key and click in the Value field. For example, if we wanted to configure a Name called Country to have a static value of USA then by holding down the Ctrl key and clicking the Value field it is possible to enter the static value.
The Name fields can be either in bold or normal. If the Name field is in bold it means that a corresponding variable needs to be set in the Value field as this will be mandatory value for the vSEC:CMS in this case. If a value is not available and the Name field is set as mandatory (marked in bold) then the certificate issuance will fail for the user.
EJBCA
The vSEC:CMS can be configured to connect to a EJBCA for issuing users with certificates.
If the EJBCA is used it will not be possible to use the Self-Service capabilities of the vSEC:CMSto manage the certificate(s) on the smart card.
To add a CA connection from Options - Connections click the Configure button and make sure that Certificate Authorities is added to the Selected window.
From Options - Connections click Certificate Authorities and click Add to open the dialog where the CA specific connection details are configured.
It will only be possible to setup a connection to EJBCA from a host that is running Windows 2008 R2 or later.
Enter a template name and select the EJBCA (Enterprise Java Beans Certificate Authority) from the drop-down list.
Enable the Proxy through server checkbox if the communication to the CA should go directly through the server instead of the client trying to contact the server directly. This will be for scenarios where the operator accesses the Operator Console on their client host.
Enter the EJBCA server URL and from the HTTPS Client Certificate select the CA user certificate to connect to the EJBCA web service. This user’s certificate will need to be in the MS certificate store, which would typically be imported into the MS certificate store as a PKCS#12 file. If Proxy through server checkbox is enabled the client certificate needs to be in the local store of the Windows user that the vSEC:CMS service is running under on the server.
Click the Get instances button to connect to the EJBCA web service and retrieve the CA details.
Select the certificate authority that you wish to connect to and select the end entity profile that is to be used.
Click the Templates button to configure the CA templates that will be made available from this template. Click the Update button to ensure that all the latest CA templates are available from this dialog.
In the Certificate section you can configure the fields and values that should be in the Subject DN and the Subject Alternative Name. Click the Request fields button to begin configuring this. For more details on configuring these fields please contact Versasec.
Click the Save button to complete the setup.
DigiCert CA
The vSEC:CMS can be configured to connect to a DigiCert Enterprise Managed PKI.
If the DigiCert CA is used it will not be possible to use the Self-Service capabilities of the vSEC:CMSto manage the certificate(s) on the smart card for any version prior to 5.8.
To add a CA connection from Options - Connections click the Configure button and make sure that Certificate Authorities is added to the Selected window.
From Options - Connections click Certificate Authorities and click Add to open the dialog where the CA specific connection details are configured.
Enter a template name and from the drop-down list of available CA's select DigiCert (DigiCert CA). Enter the URL of your DigiCert CA and click the Test button to ensure connectivity to the DigiCert CA. A success dialog should appear if the connection is successfully established. In the Authentication key enter the authentication key as provided to you by DigiCert and click the Test button. You should receive a success dialog if the key material entered is correct. Click the Request fields button to configure the attributes that can be sent in the certificate request. Click the Templates button to view and update the list of available templates from the CA.
When the Templates dialog is opened the name of the templates may not be presented in a user-friendly format. Please request details from Versasec on how to transform the template names into user friendly format.
Configure Request Fields
On clicking the Request fields button a configuration dialog will appear. By default, three request names will be shown.
To configure an actual value for these named entries, click the empty field Value beside the name that is to be configured.
On clicking the empty Value field, a dialog will appear. For example, for the name Certificate Signature Hash the actual hash algorithm that is required should be configured here. In this case this needs to be entered as free text. Therefore, enable theUse free text radio button and enter sha256 for example. Additionally, a name value can be mapped to a variable placeholder which can retrieve the value from a directory.
Additional fields can be added by clicking the Fields button.
For further details and assistance with configuring specific settings for your DigiCert CA please contact Versasec for support.
PKCS#12
The vSEC:CMS can be configured to manually import PKCS12 certificate files during the smart card issuance.
To add a CA connection from Options - Connections click the Configure button and make sure that Certificate Authorities is added to the Selected window.
From Options - Connections click Certificate Authorities and click Add to open the dialog where the CA specific connection details are configured.
Enter a template name and select PKCS12 from the drop-down list. Click the Get button for the Certificate Authority Issuer DN to determine the DN of the issuing CA. A PKCS12 file that is to be imported can be selected to allow the vSEC:CMS to determine the issuing DN from the PKCS12 file. This will mean that only certificates issued by the issuing CA will be allowed to be imported. Click the Get button for Default folder to browse for PKCS12 files to set the default location where the vSEC:CMS will select the PKCS12 files from. Enter a default passphrase if the PKCS12 files that are to be imported are configured to be automatically selected from a certificate database certificate list file which has the same passphrase for each PKCS12 file in the database.
Physical Access
From Options - Connections click theConfigure button and ensure that Physical Access is added to the Selected window.
Then from Options - Connections click Physical Access to add template.
Click Add to open the dialog where the PAMS specific connection details are configured. The vSEC:CMS currently supports the Edge Connector PAMS which is included as a plug-in. If other PAMS systems are required to be configured please contact Versasec for details on how to add a PAMS connector plug-in.
In order to configure a connection to PAMS at least one connection to LDAP needs to be already configured as the PAMS connector expects to read data from LDAP.
Enter a template name and click the Configure button.
Enter the directory server specific details and configure the directory settings as necessary for the specific environment and click OK. If the environment on which the PAMS is configured is an AD, the LDAP configuration options can be used in this case to connect to the AD. Add or edit LDAP filter as required. Click the Test button to ensure that the directory is reachable and that the expected user details are returned.
External Trace
From the Options - Connections page it is possible to configure event logging to an MS event viewer for the vSEC:CMS application.
From Options - Connections click the Configure button and ensure that External Trace is added to the Selected window.
Then from Options - Connections click External Trace to enable external trace.
Enable Send events check box to send vSEC:CMS application events to the MS Windows event viewer. Click the Add this computer to add the computer that the vSEC:CMS application is running on, such that events will only be logged to the computers listed in Registered host computers. It will be necessary to have the event provider installed on the server that the vSEC:CMS is running on. If the event provider is not installed the Install event provider button will be enabled and it will be possible to install.
The following events will be logged with the event viewer:
· Start and stop of the vSEC:CMS Window services;
· The operator who starts the vSEC:CMS application;
· The operator who successfully authenticated and logged in;
· The operator who logs off the application;
· The following lifecycle operations will be captured card issued, card pin unblock, card revoke, card retire and card delete. The details logged will be the operator who performed the action and for which user the card the operation was performed on.
For more detailed description see the article Event Viewer Events.
An email server template would typically be configured if it is required that the vSEC:CMS application should send email notifications to the smart card user.
From Options - Connections click the Configure button and ensure that Email is added to the Selected window.
Then from Options - Connections click Email to add a template.
Click the Configure button for Email and click the Add button to add a new email template.
Enter a template name, along with the specific SMTP server specific details. For Credentials configure the required credentials as required by your email server to authenticate with. For Connection security enter the required type for your email server. Click the Check connection button to test that the template configuration is correct. A test email will be sent to the address configured in the Email address field.
If you get error reported: Failed to initialize SMTP connector: Class not registered then it maybe that you need to set the vSEC:CMS server as a static IP address and add it to allow list on your SMTP server(s) .
Data Export
From the Options - Connections page it is possible to configure the data export mechanisms that can be used by the vSEC:CMS application.
If it is required to export data from the vSEC:CMS application then the data to be exported and the transport mechanism would be configured from here.
Currently, the application supports file, email, print, SQL and SMS as the transport mechanisms.
Data Export - File
If the data export is configured to write data to XML file it is important to note that special characters will be handled differently because XML syntax uses some characters for tags and attributes therefore it is not possible to directly use those characters inside XML tags or attribute values. For these characters, the vSEC:CMS uses the numeric character reference instead of that character as defined in the XML standard.
From Options - Connections click the Configure button and ensure that Data Export is added to the Selected window.
Then from Options - Connections click Data Export to add a template.
Select the type File (Export to file) from the Target drop-down list.
Select the Write automatically to file option if it is required to write to file when the smart card is initiated. Alternatively, select the Write to cache if it is required to hold the data in the applications cache, whereby it can be written to file at a later time. If the Write to cache option is selected, enable the Ask for filename option to prompt the operator to select a file location to write the data to when the operator exports the cache manually.
Click the Format button to configure the file format and select the data that can be exported to file. Currently Delimited text, XML format and JSON format is supported with encoding of either ANSI or Unicode. The data that is selected to be exported can be configured so that the sequence of the entries as written to the export data file can be set. For example, if it was required to export the users ID (name), the users email address and the users PIN in that sequence the Export to file window list those variables in that order. Use the Up and Down button to configure the sequence of data variables as written to file.
Click the Browse button to select a file that the application will write the data to if the Write to cache option is not selected.
From the Permissions section, it is possible to configure the operators with specific roles who will be allowed to export the data. Click Save when complete.
Data Export - Email
From Options - Connections click the Configure button and ensure that Data Export is added to the Selected window.
Then from Options - Connections click Data Export to add template.
Select the type Email (Export to email) from the Target drop-down list.
Select the Send email automatically option if it is required to send an email when the smart card is initiated. Alternatively, select the Write to cache option if it is required to hold the data in the application cache, whereby it can be emailed at a later time. Click the Configure mail button to configure the email message (see below for more details). From the SMTP server drop-down list select the already configured SMTP server. Click the Test email button to ensure that the configuration works as required. A test email will be sent to the email address configured in the Email connection template.
From the Permissions section, it is possible to configure the operators with specific roles who will be allowed to export the data. Click Save when complete.
Configure Email Message
In this dialog, it is possible to configure the email message to be sent to the smart card user. The message content template can either be in MHTML format or in plain text.
If an MHTML file is used for the email content it will be necessary to select the Html radio button and click the Import button to select and import the MHTML file into the application. MHTML files can be created using MS Word for example. It is possible to place vSEC:CMS variables into the MHTML page which will be used as placeholders to be replaced by actual data that can be retrieved by the application.
If plain text is used for the email content it will be necessary to select the Text radio button. Enter the email address that the email will be sent from into the From field. The To field should contain the system variable for the user email address. In order to place the variable into the field, select the variable from the Variables drop-down list and select Copy. A short description will appear below the drop-down list providing a brief description of the variable. Right click the field and select paste. A CC and BCC can be provided if required. Enter an appropriate subject into the Subject field. For the message, enter an appropriate message with variables to be replaced with specific data from the system. If the variable cannot be resolved when exporting the data the variable name will be used instead, for example, if the variable ${UserPin} is used and for some reason the user PIN cannot be retrieved from the application then the value exported will be the variable name, i.e. ${UserPin}. Click Ok to save the template.
When adding variable placeholders to either MHTML or plain text the variable needs to be entered correctly i.e. the variables are case sensitive.
When constructing the email message in plain text, in order to move the cursor to a new line it is necessary to press Ctrl + return.
Data Export - Printer
From Options - Connections click the Configure button and ensure that Data Export is added to the Selected window.
Then from Options - Connections click Data Export to add template.
Select the type Print (Export to printer) from the Target drop-down list.
Select the Print automatically option if it is required to print the data when the smart card is initiated. Alternatively, select the Write to cache option if it is required to hold the data in the applications cache, whereby it can be printed at a later time. Click the Import button to import the print template file. This will result in the vSEC:CMS application reading and importing the file into the application's database. The location of this file will be displayed in the Filename field as a pointer to where the file was imported from. If this file is deleted or is no longer available on the system, the application will still have the file stored in the application database. Click the Export button to export this file from the application, if required at a later time.
From the Print at drop-down list select either Server (only) if the printing is to be carried out on the server side or Client (only) if the printing is to be carried out on the operator's client. It will only be possible to select one of the options here, therefore printing can only be conducted on server side or client side depending on what is selected here. Additionally, it will only be possible to configure the selected option here from the server side. Once the selected option is chosen it will not be possible to change this on the client side.
From the Renderer drop-down list either Microsoft Word or Windows system will be available. Microsoft Word will only be available if Microsoft Word is installed on the server or client where the printing is to be conducted. Microsoft Word should be used and selected when more advanced printing layout is required.
From the Printer drop-down list select from the available printer(s) accessible by the server if the printing is to be conducted on the server. Alternatively, if the printing is to be conducted on the operator's client then select from the available printer(s) accessible by the client.
From the Permissions section, it is possible to configure the operators with specific roles who will be allowed to print the data. Click Save when complete.
The print template format supported is rich text format. If font formatting of the text is required it is necessary to format the complete variable name too. For example, if it is required to print the user's first name in bold, then the variable (as in the example below) should be ${UserFirstName}, i.e. the entire variable name is in bold.
An example file format is displayed below:
Dear ${UserFirstName}, Your smart card has been issued. Your user PIN is: ${UserPin} You will be forced to change your smart card PIN on first use. Regards, The Smart Card Team |
Data Export - SQL
From Options - Connections click theConfigure button and ensure that Data Export is added to the Selected window.
Then from Options - Connections click Data Export to add template.
If a new template is being added select the type SQL (Export to SQL database) from the Target drop-down list.
Select the Write to database automatically option if it is required to write to the SQL DB when the smart card is initiated. Alternatively, select the Write to cache if it is required to hold the data in the applications cache, whereby it can be written to SQL DB at a later time.
Select the SQL DB from the Database drop-down list.
From the Permissions section, it is possible to configure the operators with specific roles who will be allowed to export the data. Click Save when complete.
Click the Configure fields button to configure the data that is to be written to the SQL DB. Click the Get button to retrieve and select the database table that the data is to be written to. Select a table column and click the Edit value to assign a record that is to be written to the table. For example, if the smart card CSN is to be written to the SQL database, select the column from the table and click the Edit value button. Select the variable ${Csn} and click OK. During the smart card initiation, the smart card serial number will be written to the SQL database table.
Data Export - SMS
This feature would typically be used for unblocking smart card tokens when used with the USS application whereby the smart card token unblock code would be sent via SMS to the end user. This feature could also be used to send the PIN code set on the smart card during the issuance process.
From Options - Connections click the Configure button and ensure that Data Export is added to the Selected window.
Then from Options - Connections click Data Export to add template.
If a new template is being added select the type SMS (Export to SMS) from the Target drop-down list.
Select the Send SMS automatically option if it is required to send the SMS message when the smart card is initiated. Alternatively, select the Write to cache if it is required to hold SMS in the applications cache, whereby it can be sent at a later time.
Click the Configure SMS button to create a SMS message template. Enter a phone number in the Phone number field. This would typically be a variable that is mapped to an attribute in the user directory. For testing purposes, you can enter a valid number into the filed. Enter the country code followed by the phone number, for example if the mobile number that the test was being carried out in was in the United Kingdom then enter +44<your_mobile_number>. In the message window enter the message content that you wish to send. From the Variables drop-down list select a variable that is required and click the Copy button to copy the variable value which can then be pasted into the message window. Click Ok to save the settings.
Click the Manage button and click Add to add an SMS provider.
Currently the SMS providers that can be used are TeleSign, Certificall, Clickatell, Tyntec and Dolphin. Also it is possible to configure a Generic HTTP SMS connector if the provider supports HTTP.
If TeleSign is used enter a template name and the Service address and Service mobile address fields will automatically be entered with the details for TeleSign. In the Credentials section enter the credentials as provided by TeleSign. Click Save to save and close the dialog.
Click the Test SMS button to test that an SMS message can be sent to a number entered into the Phone number field from the Configure SMS dialog.
For the other supported SMS providers (Certificall, Clickatell, Tyntec and Dolphin) the protocol used is SMS over HTTP as this is the protocol supported by these providers. If additional providers not listed here do support SMS over HTTP then the generic HTTP provider can be configured. Sample configurations have been pre-set for the providers supported. It is necessary to check with your provider to determine what parameters are required.
For example, if you are using Clickatell as your provider then enter a template name and select Clickatell from the available SMS providers. Enter the service address and the protocol required. In the Parameters section pre-set parameters are already provided. The user, password and api_id need to be configured with your specific credentials. The to and text will be assigned to variables mapped to attributes as the phone number will need to be retrieved for the user typically from a user directory and the text needs to retrieved.
Data Export - Browser
It is possible to export data to the default browser on the host where an operator or user is performing lifecycle operations where data export is configured. This can be useful if it is required to show some information when an operation is performed.
From Options - Connections click the Configure button and ensure that Data Export is added to the Selected window.
Then from Options - Connections click Data Export to add template.
If a new template is being added select the type Browser (Export to Web Browser) from the Target drop-down list.
It will be required to have a HTML page ready that needs to be imported into the system. The HTML page will contain the information that you wish to be exported. Below is a simple example of what this could look like. The values ${Csn} and ${UserPin} below are internal vSEC:CMS variables. You can add / use applicable variables as per your requirements that can be exported from vSEC:CMS. Save the file as a .html file and import it into the system using the Import button.
<html>
<head>
<title>vSEC:CMS Test Dataexport HTML page</title>
</head>
<body> Example HTML page <br>
CSN: ${Csn}<br>
Your PIN is: ${UserPin} <br>
</body>
</html>
The Export button can be used to export the HTML file from the system if you need to export the file sometime later and modify it for whatever reason.
Click the Variables button to see and check that the variables you expect are correctly available from your HTML import file.
The Temp folder drop down is the location where the html data export file is written to. There are several options available when deciding what location on the host that the HTML file will be written to. These are:
- Windows: GetTempPath() - If this option is selected the file will be written to C:/Users/<Windows_user_account>/AppData/Local/Temp
- %WINDOWS%\Temp - If this option is selected the file will be written to C:/Windows/temp
- Registry - If this option is selected the file will be written to a location as configured through a registry setting. This registry setting would need to be deployed to all clients that will use this feature. You will need to first get the vSEC:CMS template ID and make a note of this value. You can get this by selecting the data export template where you can see the value (see example below).
Then using this create a String named dataexport.html.<vsec-template-id>.tempdir in either [HKEY_LOCAL_MACHINE\SOFTWARE\Versatile Security\vSEC_CMS_T] or [HKEY_CURRENT_USER\SOFTWARE\Versatile Security\vSEC_CMS_T]. If both locations are used then [HKEY_LOCAL_MACHINE\SOFTWARE\Versatile Security\vSEC_CMS_T] will be taken. Substitute with the template ID noted before (for example, it would look like this dataexport.html.0015001a.tempdir in our example). For the value enter the full path that the file will be written to. - Folder: Desktop - If this option is selected the file will be written to C:/Users/<Windows_user_account>/Desktop
- Folder: AppData - If this option is selected the file will be written to C:/Users/<Windows_user_account>/AppData/Roaming
- Folder: AppDataLocal - If this option is selected the file will be written to C:/Users/<Windows_user_account>/AppData/Local
- Folder: MyDocuments - If this option is selected the file will be written to C:/Users/<Windows_user_account>/Documents
By default the HTML file generated will be deleted after 1 minute. You can change this and disable the auto deletion after 1 minute. To do this a registry setting would need to be deployed to all clients where you want to disable the auto deletion. You will need to first get the vSEC:CMS template ID and make a note of this value. You can get this by selecting the data export template where you can see the value (see example below).
Then using this create a DWORD named dataexport.html.<vsec-template-id>.autodelfile in either [HKEY_LOCAL_MACHINE\SOFTWARE\Versatile Security\vSEC_CMS_T] or [HKEY_CURRENT_USER\SOFTWARE\Versatile Security\vSEC_CMS_T]. If both locations are used then [HKEY_LOCAL_MACHINE\SOFTWARE\Versatile Security\vSEC_CMS_T] will be taken. Substitute with the template ID noted before (for example, it would look like this dataexport.html.0015001a.autodelfile in our example). Set the value to 0 (zero) to disable auto deletion.
Smart Card Readers
It is possible to hide smart card readers from the vSEC:CMS application if it is required to only allow specific smart card readers to be used with the application. For example, if it is required to hide a specific reader from the application, attach the reader and select the reader that is to be hidden and click the OK button. It will then not be possible to use this specific reader with the application when managing smart card.
From Options - Connections click theConfigure button and ensure that Smart Card Readers is added to the Selected window.
Then from Options - Connections click Smart Card Readers to configure the settings.
Hardware Security Module (HSM)
It is possible to configure a connection to a Hardware Security Module (HSM) from this page. A HSM can be used to store the master key used when diversifying new administration keys when registering new smart card tokens with the vSEC:CMS.
From Options - Connections click the Configure button and ensure that Hardware Security Module is added to the Selected window.
Then from Options - Connections click Hardware Security Module to configure.
Smart Card Printer
Currently the vSEC:CMS supports the Fargo HDP5000, Datacard SR300, Magicard Prima 4 and Evolis Primacy printers.
From Options - Connections click the Configure button and ensure that Smart Card Printer is added to the Selected window.
Then from Options - Connections click Smart Card Printer to configure.
Photo Capture
It is possible to configure the vSEC:CMS to connect to a camera which can be used to take a picture of a user during the smart card issuance process.
Version 4.0 of .NET Framework needs to be installed on the server where vSEC:CMS is installed.
From Options - Connections click the Configure button and ensure that Photo Capture is added to the Selected window.
Then from Options - Connections click Smart Photo Capture to configure.
SQL Database
From Options - Connections click the Configure button and ensure that SQL Database is added to the Selected window.
Then from Options - Connections click SQL Database to configure.
For detailed description on how to use SQL database see the article Using MS SQL with vSEC:CMS for details.
User Self-Service
From the User Self-Service (USS) it will be possible to configure the connection settings for the USS service. The USS is a SOAP service that runs on the vSEC:CMS server and services USS client requests. The Windows service that manages this service is named vSEC:CMS - User Self Service.
A minimum of Windows .NET framework 4.0 will need to be installed on the vSEC:CMS server for this feature.
From Options - Connections click the Configure button and ensure that User Self-Service is added to the Selected window.
Then from Options - Connections click User Self-Service to configure.
If the dialog presents a message about requiring a License Upgrade then this is because the USS feature was not enabled when your provider issued the System Owner operator card. Click the Get challenge button and provide the challenge to your provider as instructed. Your provider should provide a code that should be pasted into the Upgrade field and click the Upgrade button to apply the code and enable the USS connection settings dialog.
When this feature is enabled it will be possible to configure the connection settings.
Enable the All adapters checkbox if there are several different network adapters available. ThevSEC:CMS will listen on all adapters available for incoming connections.
The setting Enable get service metadata is enabled and cannot be configured from this dialog. It is shown for information purpose. This is a WSDL web services scheme to tell potential clients about the structure of the web service.
Enter the host name of the vSEC:CMS server and the port that the server will listen on. Enable the Use SSL checkbox, which is strongly recommended, so that the communication is over SSL/TLS.
In the Server connection point section enable the Customized endpoint address and enter the URL that the end point, i.e. the URL that should be configured on the end users client workstation, if the clients are configured to go through a HTTP proxy.
From the Server certificate select the server certificate to use for the SSL/TLS. This certificate needs to be available in the MS certificate store for the local machine in the Personal store.
Click OK to save the configuration.
Operator Console Service
From the Operator Console Service, the connection settings for this service are configurable. This service is a SOAP service and is managed by the Windows service named vSEC:CMS - Operator Console Service. The service will allow operators to connect to the vSEC:CMS using a client-side application console to perform restricted lifecycle management operations. This will mean that operators can connect to the vSEC:CMS using a client-server model over HTTP removing the requirement to connect over RDP / Terminal services.
A minimum of Windows .NET framework 4.0 will need to be installed on the vSEC:CMS server for this feature.
From Options - Connections click the Configure button and ensure that Operator Console Service is added to the Selected window.
Then from Options - Connections click Operator Console Service to configure.
Enable the All adapters checkbox if there are several different network adapters available. The vSEC:CMS will listen on all adapters available for incoming connections.
The setting Enable get service metadata is enabled and cannot be configured from this dialog. It is shown for information purpose. This is a WSDL web services scheme to tell potential clients about the structure of the web service.
Enter the host name of the vSEC:CMS server and the port that the server will listen on. Enable the Use SSL checkbox, which is strongly recommended, so that the communication is over SSL/TLS.
In the Server connection point section enable the Customized endpoint address and enter the URL that the end point, i.e. the URL that should be configured on the operator client's workstation, if the operator clients are configured to go through a HTTP proxy.
From the Server certificate select the server certificate to use for the SSL/TLS. This certificate needs to be available in the MS certificate store for the local machine in the Personal store.
Click OK to save the configuration.
Plugin API
The vSEC:CMS Plugin API enables integration with the vSEC:CMS lifecycle processes. The plugins make it possible to customize the smart card management lifecycle processes and add/modify tasks for each lifecycle process. For full details, including sample code and examples, please contact Versasec.
From Options - Connections click the Configure button and ensure that Plugin API is added to the Selected window.
Then from Options - Connections click Plugin API to configure.
RSDM Service
This service is a SOAP service and is managed by the Windows service named vSEC:CMS - RSDM Service. The service will allow devices which have Virtual Smart Cards (VSC) managed by the vSEC:CMS and which have RSDM service installed on the device to connect to the vSEC:CMS thereby allowing for the centralized management of these devices. The communication will be over HTTP(S).
A minimum of Windows .NET framework 4.0 will need to be installed on the vSEC:CMS server for this feature.
From Options - Connections click the Configure button and ensure that RSDM Service is added to the Selected window.
Then from Options - Connections click RSDM Service to configure.
Enable the All adapters checkbox if there are several different network adapters available. The vSEC:CMS will listen on all adapters available for incoming connections.
The setting Enable get service metadata is enabled and cannot be configured from this dialog. It is shown for information purpose. This is a WSDL web services scheme to tell potential clients about the structure of the web service.
Enter the host name of the vSEC:CMS server and the port that the server will listen on. Enable the Use SSL checkbox, which is strongly recommended, so that the communication is over SSL/TLS.
In the Server connection point section enable the Customized endpoint address and enter the URL that the end point, i.e. the URL that should be configured on the operator client's workstation, if the operator clients are configured to go through a HTTP proxy.
From the Server certificate select the server certificate to use for the SSL/TLS. This certificate needs to be available in the MS certificate store for the local machine in the Personal store.
Click OK to save the configuration.
API Service
This service is a WSDL API service and is managed by the Windows service named vSEC:CMS – API Service. This will allow external applications to be developed to connect to the vSEC:CMS to retrieve unblock codes for smart card tokens managed by the vSEC:CMS.
A minimum of Windows .NET framework 4.0 will need to be installed on the vSEC:CMS server for this feature.
From Options – Connections click the Configure button and ensure that API Service is added to the Selected window.
Then from Options – Connections click API Service to configure.
Enable the All adapters checkbox if there are several different network adapters available. The vSEC:CMS will listen on all adapters available for incoming connections.
During the development and testing stage the Enable get service metadata should be enabled. This is to enable the WSDL web services scheme and make it available to clients displaying the structure of the web service.
Enter the host name of the vSEC:CMS server and the port that the server will listen on. Enable the Use SSL checkbox, which is strongly recommended, so that the communication is over SSL/TLS.
If Use SSL is enabled it will be possible to enable Certificate Authentication. If this is enabled it will mean that any application that will use the API will need to have a client certificate available as the API service will enforce mutual authentication when SSL/TLS is used for the connection in this case.
From the Server certificate select the server certificate to use for the SSL/TLS. This certificate needs to be available in the MS certificate store for the local machine in the Personal store.
In the Server Connection Point section enable the Customized endpoint address and enter the URL that the end point, i.e. the URL that should be configured on the operator client’s workstation, if the operator clients are configured to go through a HTTP proxy.
From the Enabled APIs section, you can configure which API to use.
By default, the Web API service is enabled. You should use this if you are using the Java script API.
Enable the Helpdesk API if you are using SOAP API to integrate helpdesk like operations into your application such as PIN unblock workflows and managed smart card search operations.
Enable the Lifecycle API if you are using the SOAP API to integrate life cycle like operations into your application such as smart card issuance.
Enable Allow card deletion if it is to be allowed to perform managed smart card tokens. If this option is enabled it will be possible to delete managed smart card tokens from an external application that uses the API.
Enable Require approval option if before deleting the managed smart card token an operator needs to approve the operation. This will result in the requested deletion operation being put into the Repository – Pending tasks where an operator will then need to approve such a request before it can complete.
Click the Authentication Tickets to configure the authentication tickets that any application will need to authenticate to the API when connecting to it. On clicking the Authentication Tickets click the Add button to add a ticket. Enter an identifier name in the Name field. Enable the Enable checkbox to make the ticket active and in the Validity field enter how long the ticket will be active for. Enter 0 (zero) to configure the ticket to be active forever. On adding the ticket, it will appear in the table. Select the entry and click the Generate Ticket button. This will generate the authentication ticket that should then be used in the external application as the authentication ticket used to authenticate when connecting to the application.
Click OK to save the configuration.
For all of these available APIs please contact Versasec for further details on how to use these APIs.
OAuth Identity Provider (IdP)
From version 5.7 it is possible to configure a connection to an OpenID Connect (OIDC) compatible identity provider. OIDC 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner. This can be used to authenticate a user when performing self-service operations on managed credential tokens in vSEC:CMS.
From Options – Connections click the Configure button and ensure that OAuth Identity Provider (IdP) is added to the Selected window. Enter a name in the Template name field and click the Get button. Enter the appropriate identity provider URL, client ID and secret in the fields provided and click Ok. If all the details are valid then you will see information populated in the OpenID Connect Provider window.
In the User Directory section select your directory that should be used from the Active Directory drop-down field. In the User ID mapping field enter the LDAP compliant query that will be run to validate that user exists in your organizations directory and also to derive the users DN that the certificate credential will be issued to if an issuance is being performed. For example, if it is required to authenticate the user by checking your Active Directory for the email address that can be retrieved from the user’s JSON ID Token object, then enter (mail=###email###) into the User ID mapping field, where mail is the AD attribute. Enable Fail if more than one user ID found if the authentication flow should fail if more than one user is returned from the LDAP query. Enter the Redirect URL into the field which is the back-end service that the OIDC should redirect to, for example, http://my-cms-server:<port>/oidc. Click the Configure server button to configure the vSEC:CMS SOAP service.
Click the Test button to perform an actual test on a user in your environment.