It may be required to perform some validation steps before a credential token is issued to a user. For example, we may want to check that the user is active in the user directory before we allow the credential token to be issued. This is possible to configure in the vSEC:CMS.
In this article, we will use an example scenario whereby it is required that the credential token unique serial number (CSN) is validated against a directory attribute value for the credential user to ensure that only a credential with the specific CSN can be can be issued to a specific user.
Step 1 - Create Input File
In order to cover the scenario described above it is required to create an input file. The input file should be copied to this folder, if the default installation of the vSEC:CMS is selected during installation, to C:\Program Files (x86)\Versasec\vSEC_CMS vSEC:CMS\cms_db\import . The file extension should be .in, for example Input_File_1.in. Once the file is copied to this folder you will notice that the file name changes to File_1.in_20161117114836942.succ (if the same file name is used as in this example). The file extension .succ indicates that the data was successfully imported into the database.
The input file should be an xml file configured similar to below.
|
<?xml version="1.0" encoding="UTF-8"?> <data> <e id="570113512524DE11200AFFFF"> <v name="CMS_Variable_ID" value="credential1"/> </e> <e id="570113512524DE112345FFFF"> <v name="CMS_Variable_ID" value="credential2"/> </e> </data> <cms_config> <v name="variableName" value="credential_number"/> </cms_config> |
In the example above the <data> tag contains the information about the actual credential token unique serial number (CSN). The data in the example above
|
<e id="570113512524DE11200AFFFF"> <v name="CMS_Variable_ID" value="credential1"/> </e> |
will import into the CMS database a credential CSN with a value of 570113512524DE11200AFFFF and this value will need to correspond to a user in the directory of a value of credential1. This will mean that during credential issuance the vSEC:CMS will check that the credential that is being issued, based on the CSN, to a particular user will have a specific value in a specific directory attribute of credential1. If this condition is not met then the credential issuance will fail.
The data in the table below
|
<cms_config> <v name="variableName" value="credential_number"/> </cms_config> |
is used by the vSEC:CMS to create the database record of the data imported above. The value instructs the vSEC:CMS to create the database file with a name called credential_number and this file is saved with a .db file extension. This file will be saved to C:\Program Files (x86)\Versasec\vSEC_CMS vSEC:CMS\cms_db\data if the default installation location of the vSEC:CMS is selected during installation.
Step 2 - Add Variable for Imported Data
It will be necessary to add a variable such that the imported data in step 1 can be mapped to this variable and used when checking the validation during the credential token issuance.
1. From Options - Variables click the Add button.
2. In the first drop-down list select Imported.
3. In the Variable name drop-down list you should see the value CMS_Variable_ID as the variable name configured in the input file in step 1 above in this example. Enter some label information that you wish to identify the variable that may be used later if required. In the Parameter drop-down list select the already available vSEC:CMS variables, in this case we want this variable to match the CSN for the credential that is to be issued. Select the mandatory check box if this variable is required to contain data for any template that it may be used in. Click Ok to save and add the variable to the system.
Step 3 - Add Variable for Directory Attribute
1. From Options - Variables click the Add button.
2. In the first drop-down list select Directory (DN).
3. In the Variable name field enter an appropriate variable name. Enter some label information that you wish to identify the variable that may be used later if required. In the Description field enter a more descriptive description of what this variable is used for. Select the mandatory check box if this variable is required to contain data for any template that it may be used in. Click Ok to save and add the variable to the system.
Step 4 - Configure Credential Template
It will be necessary to configure a credential template that will be used when issuing the credential token. It is presumed that all back-end connections to directories and CA are in place.
1. From Templates - Credential Templates click the Add button and click the Edit link beside General.
2. Enter a template name and for credential type attach the credential you wish to manage for this template and click the Detect button. In this example, we will manage a Gemalto ID Prime MD credential. Leave all other settings as is and click Ok to close and save.
3. Click the Edit link beside Issue Credential.
4. Enable the Assign user ID and select the directory that you will use from the drop-down list.
5. Click the Manage button. Select the directory that you will use and click the Edit button.
6. Click the Edit button. Select the variable added in step 3 and in the Variable value (directory field name) field enter the correct directory attribute name in the field provided. For example, if the attribute name value in your directory is userCredentialID then enter this value in the field.
7. Click Ok to save and close out.
8. When back at main dialog for Issue Credential configure whatever other settings required for your particular template and click Ok button to save and close the dialog.
9. Click the Edit link again for the General option.
10. In the Permissions section, you will configure the settings for the validation steps. Enable the Access rights per individual lifecycle tasks if it is required to configure the validation steps per individual lifecycle task for the particular credential template. Otherwise do not enable this if the validation step is to be global for the particular credential template.
11. If the Access rights per individual lifecycle tasks is not enabled, then click the Manage button in the Validate before issuance section.
12. Click Add. Enter a template name and from the drop-down list select Verify variables (Verify variable values).
13. In the Source value field enter the variable name as configured in step 3. It is possible to search for the variable, if you know the name, in the Search field or you can select the variable from the Variables drop-down list and click the Copy button. You can then paste the value into the Source value field.
14. Select the comparison that needs to be performed from the drop-down list. Similarly, it is possible to search for the variable, if you know the name, in the Search field or you can select the variable from the Variables drop-down list and click the Copy button. You can then paste the value into the Reference value field.
15. Enable the Must have values check box if it is required that a value needs to be returned when performing the validation.
16. Enable the Case sensitive check box if when performing the validation, the data validated needs to match with the data that was imported and that the matched data should be valid including the case sensitivity.
17. Click the Save button to save and close.
You can now perform a credential issuance from the Lifecycle page and validate that the data imported was successful and was successfully validated.