Validation Steps before Issuance

Anthony - Versasec Support
Anthony - Versasec Support
  • Updated

It may be required to perform some validation steps before a smart card token is issued to a user. For example, we may want to check that the user is active in the user directory before we allow the smart card token to be issued. This is possible to configure in the vSEC:CMS.

In this article, we will use an example scenario whereby it is required that the smart card token unique serial number (CSN) is validated against a directory attribute value for the card user to ensure that only a card with the specific CSN can be can be issued to a specific user. 

Step 1 - Create Input File

In order to cover the scenario described above it is required to create an input file. The input file should be copied to this folder, if the default installation of the vSEC:CMS is selected during installation, to C:\Program Files (x86)\Versasec\vSEC_CMS vSEC:CMS\cms_db\import . The file extension should be .in, for example Input_File_1.in. Once the file is copied to this folder you will notice that the file name changes to File_1.in_20161117114836942.succ (if the same file name is used as in this example). The file extension .succ indicates that the data was successfully imported into the database.

The input file should be an xml file configured similar to below.

<?xml version="1.0" encoding="UTF-8"?>

<data>

<e id="570113512524DE11200AFFFF">

<v name="CMS_Variable_ID" value="card1"/>

</e>

<e id="570113512524DE112345FFFF">

<v name="CMS_Variable_ID" value="card2"/>

</e>

</data>

<cms_config>

<v name="variableName" value="card_number"/>

</cms_config>

In the example above the <data> tag contains the information about the actual smart card token unique serial number (CSN). The data in the example above

<e id="570113512524DE11200AFFFF">

<v name="CMS_Variable_ID" value="card1"/>

</e>

will import into the CMS database a smart card CSN with a value of 570113512524DE11200AFFFF and this value will need to correspond to a user in the directory of a value of card1. This will mean that during card issuance the vSEC:CMS will check that the card that is being issued, based on the CSN, to a particular user will have a specific value in a specific directory attribute of card1. If this condition is not met then the card issuance will fail.

The data in the table below

<cms_config>

<v name="variableName" value="card_number"/>

</cms_config>

is used by the vSEC:CMS to create the database record of the data imported above. The value instructs the vSEC:CMS to create the database file with a name called card_number and this file is saved with a .db file extension. This file will be saved to C:\Program Files (x86)\Versasec\vSEC_CMS vSEC:CMS\cms_db\data if the default installation location of the vSEC:CMS is selected during installation.

Step 2 - Add Variable for Imported Data

It will be necessary to add a variable such that the imported data in step 1 can be mapped to this variable and used when checking the validation during the smart card token issuance.

1. From Options - Variables click the Add button.

2. In the first drop-down list select Imported.

3. In the Variable name drop-down list you should see the value CMS_Variable_ID as the variable name configured in the input file in step 1 above in this example. Enter some label information that you wish to identify the variable that may be used later if required. In the Parameter drop-down list select the already available vSEC:CMS variables, in this case we want this variable to match the CSN for the card that is to be issued. Select the mandatory check box if this variable is required to contain data for any template that it may be used in. Click Ok to save and add the variable to the system.

Step 3 - Add Variable for Directory Attribute

1. From Options - Variables click the Add button.

2. In the first drop-down list select Directory (DN).

3. In the Variable name field enter an appropriate variable name. Enter some label information that you wish to identify the variable that may be used later if required. In the Description field enter a more descriptive description of what this variable is used for. Select the mandatory check box if this variable is required to contain data for any template that it may be used in. Click Ok to save and add the variable to the system.

Step 4 - Configure Card Template

It will be necessary to configure a card template that will be used when issuing the smart card token. It is presumed that all back-end connections to directories and CA are in place.

1. From Templates - Card Templates click the Add button and click the Edit link beside General.

2. Enter a template name and for card type attach the card you wish to manage for this template and click the Detect button. In this example, we will manage a Gemalto ID Prime MD card. Leave all other settings as is and click Ok to close and save.

3. Click the Edit link beside Issue Card.

4. Enable the Assign user ID and select the directory that you will use from the drop-down list.

5. Click the Manage button. Select the directory that you will use and click the Edit button.

6. Click the Edit button. Select the variable added in step 3 and in the Variable value (directory field name) field enter the correct directory attribute name in the field provided. For example, if the attribute name value in your directory is userCardID then enter this value in the field.

7. Click Ok to save and close out.

8. When back at main dialog for Issue Card configure whatever other settings required for your particular template and click Ok button to save and close the dialog.

9. Click the Edit link again for the General option.

10. In the Permissions section, you will configure the settings for the validation steps. Enable the Access rights per individual lifecycle tasks if it is required to configure the validation steps per individual lifecycle task for the particular card template. Otherwise do not enable this if the validation step is to be global for the particular card template.

11. If the Access rights per individual lifecycle tasks is not enabled, then click the Manage button in the Validate before issuance section.

12. Click Add. Enter a template name and from the drop-down list select Verify variables (Verify variable values).

13. In the Source value field enter the variable name as configured in step 3. It is possible to search for the variable, if you know the name, in the Search field or you can select the variable from the Variables drop-down list and click the Copy button. You can then paste the value into the Source value field.

14. Select the comparison that needs to be performed from the drop-down list. Similarly, it is possible to search for the variable, if you know the name, in the Search field or you can select the variable from the Variables drop-down list and click the Copy button. You can then paste the value into the Reference value field.

15. Enable the Must have values check box if it is required that a value needs to be returned when performing the validation.

16. Enable the Case sensitive check box if when performing the validation, the data validated needs to match with the data that was imported and that the matched data should be valid including the case sensitivity.

17. Click the Save button to save and close.

You can now perform a card issuance from the Lifecycle page and validate that the data imported was successful and was successfully validated.