Introduction
The vSEC:CMS can be configured to connect to smart card printers which will enable the issuance and printing of the smart cards through a smart card printer.
It is important to be aware that vSEC:CMS is designed primarily as a credential management system. This means that you use it to manage the lifecycle of credentials, normally PKI credentials. When this is combined with printing the complete end-to-end encoding of the credential and the printing onto the smart card can take some time. Also, network speed can have an impact on overall time to complete the process. The number of certificates issued and the key size for the certificate will impact the time taken too. For one certificate issued during card printing operation the time taken to complete can be anything from 3-5 minutes. It is therefore important to factor such timings into your deployment strategy.
This article will describe how you can configure the vSEC:CMS to be used with Fargo HDP5000 and Datacard SR300 card printers.
Setup Using Fargo HDP5000 Card Printer
In this section, we will describe how to setup and configure a HID Fargo HDP5000 smart card printer to be used in conjunction with the vSEC:CMS where the HDP5000 smart card printer will be physically connected to the vSEC:CMS operator console workstation via the USB connection for the HDP5000 smart card printer. The USB connection in this case will be used to connect the smart card printers built in smart card readers to the operator's workstation. This should be viewed the same as if a USB smart card reader was connected to the operator's workstation. In this example, we will also describe how the printer can be used to batch issue smart cards from the card feeder of the printer.
The PKI used in this example use case will be an MS CA.
The smart card type that will be managed in this use case will be a generic mini-driver smart card token.
The smart card printer can be setup on a network where the smart card reader is configured as a network smart card reader. In this type of configuration, the communication is unencrypted. Therefore, if deciding on using such a setup please be aware that the data sent to the smart card that is to be issued will be sent over the network unencrypted. Versasec does not recommend such a configuration but if your network is considered secure then you may wish to setup the printer in such a configuration. Therefore, we will only describe how the vSEC:CMS can be setup to use the smart card printer when the smart card reader(s) are connected to the operator's workstation using the printer USB cable.
Step 1 - Connect Printer to Network
The smart card printer should be connected to your network. Make a note of the IP address assigned to the printer. This information should be available from the display console on the printer. It is recommended that the IP address is a static IP value.
Step 2 - Install Smart Card Reader(s) Driver(s)
The printer will have built in smart card reader(s). If the smart card contact chip is only to be managed by the vSEC:CMSthen only one reader driver will need to be installed. It will be necessary to install the printer built in smart card reader driver, which are typically Omnikey readers. These drivers can be downloaded from HID's website. If the operator is connecting over RDP to the vSEC:CMS operator console then these drivers will need to be installed on both the server where the vSEC:CMS is installed and on the workstation where the operator's RDP session is being established. Otherwise the drivers only need to be installed on the operator's workstation.
Additionally, if the smart card is to be encoded with an RFID ID and the printer has a built in RFID encoder then it will be necessary to install the reader drivers for the RFID encoder, which is normally an Omnikey encoder. These drivers can be downloaded from HID's website. If the operator is connecting over RDP these drivers will need to be installed on both the server where the vSEC:CMS is installed and on the workstation where the operator's RDP session is being established. Otherwise the drivers only need to be installed on the operator's workstation.
Once the drivers have been installed you should see from your device manager the smart card readers. These are typically listed as OMNIKEY 5x21 for the contact smart card reader and OMNIKEY 5x25 is the contactless (RFID) reader, if a contactless reader is included in the card printer.
Step 3 - Install Smart Card Printer Driver
On the server where the vSEC:CMS is installed and on the operator's workstation install the smart card printer drivers as provided on the CD delivered by your printer provider.
Step 4 - Configure Card Printer vSEC:CMS
1. Presuming that the vSEC:CMS is installed to the default location, from the C:\Program Files (x86)\Versasec\vSEC_CMS vSEC:CMS\printers folder copy the file FargoPrinterSDK21.dll to C:\Program Files (x86)\Versasec\vSEC_CMS vSEC:CMS.
2. Log onto the vSEC:CMS and from Options - Connections click the Configure button.
3. Select Smart Card Printer and add to the Selected pane and click Ok.
4. Click the Smart Card Printer to open up the configuration dialog.
5. From Smart Card Printer drop-down list select the HDP5000 Card Printer to select the printer.
6. Click the Details button to view additional details on the printer.
7. It will be necessary to select the contact smart card reader, or encoder, that is built into the printer. You will need to know the name of the reader to configure this. The contact reader name is typically called OMNIKEY CardMan 5x21 0. From the drop-down list select the reader.
8. Click the Test button to allow the vSEC:CMS to perform a test. If everything is configured and functional a success dialog should pop up.
9. If the reader name is not showing as described above and you do not know the name of the reader you can click the Detect button to allow thevSEC:CMS to automatically detect the reader. On clicking the Detect button you will be prompted to detach the USB reader cable for the printer from your workstation.
Once the USB cable is detached you will then be asked to reattach the cable thereby allowing the vSEC:CMS to detect the reader.
10. Click Ok to save and close.
Step 5 - Create Smart Card Batch Issuance File
For the smart cards that you wish to batch issue you will need to create a batch file containing the DN's of the user. See Step 1 of the article Perform Batch Issuance for details on how to create a batch input file.
Step 6 - Create Smart Card Design Layout
Presuming that a design layout is to be printed onto the smart card you can create a layout design that can be then printed onto the smart card during the issuance process.
The smart card layout for printing images and data onto the smart card are configured through a file known as a layout file in the vSEC:CMS.
Determining Data for Smart Card Layout File
When configuring smart card printing in vSEC:CMS, it is important to be able to position and size the texts and images that are printed on the card. This section describes on a basic level how to do this. This section lists a number of basic tasks, and then describes how to accomplish this using Adobe Photoshop (one of the most popular image editing application) and GIMP (a free and very capable application).
As a final step, this section will describe how the positions for image and text can then be used and configured in the vSEC:CMS using a layout file.
Getting Details from the Printer
It is important to consult the smart card printer documentation to create the best possible design for the printer and smart card that is going to be used. However, some of the most important details are available directly from the vSEC:CMS application. The Print area of the smart card is available from Options - Connections - Smart Card Printer - Details.
Parameter Values Overview
This section will describe the X,Y co-ordinates for the smart card layout as used by the vSEC:CMS.
Position and Size
Front and Back
Rotation
Smart Card Layout File
The smart card layout file is divided into 2 main sections Front and Back.
Front
In this section, the layout for the design that will be printed on the front of the smart card is defined. From here there can be any number of parameters defined, from Field1…Fieldn. For example, if it is required to configure a background design, text fields, a user picture and a rectangle area to be printed on the front of the smart card the Front section parameters (4 in total) could be defined as below:
- Field1=Front_FixedBackground
- Field2=Front_Textfeld1
- Field3=Front_UserPicture
- Field4=Front_Rect1
The elements then for each parameter would be defined in these sections, for example, sections called: [Front_FixedBackground], [Front_Textfeld1], [Front_UserPicture] and [Front_Rect1].
Back
In this section, the layout for the design that will be printed on the back of the smart card is defined. From here there can be any number of parameters defined, from Field1…Fieldn. For example, if it is required to configure a background design and a text field to be printed on the back of the smart card the Back section parameters (2 in total) could be defined as below:
- Field1=Back_FixedBackground
- Field2=Back_Textfeld1
The elements then for each parameter would be defined in these sections, for example, sections called: [Back_FixedBackground] and [Back_Textfeld1].
Layout Elements
|
Key |
Sample Value |
Description |
|
Type |
FixedImage |
The type of the element (see table below). This triggers different rendering methods. |
|
Left |
10 |
Left position of this element. |
|
Top |
30 |
Top position of this element. |
|
Width |
100 |
Width of this element. |
|
Height |
30 |
Height of this element. |
|
Orientation |
0.0 |
Orientation in degrees (to rotate the element). |
|
BackgroundColor |
128,128,128 |
RGB of background color for the element. |
|
Transparent |
1 |
0=Element is not transparent. 1=Element will have transparent background. |
|
Mandatory |
0 |
1=Field is mandatory. If no data is available for this field, the rendering will fail. 0=Field is not mandatory. If no data is available, this field will be kept empty. |
|
Value |
Value depends on the Type. |
|
|
ValueFile |
C:\front.bmp |
Reference to a file, where the value is taken from (e.g. for RTF or images) |
|
VarFormat1 |
UserCardExpiraryDate; inFrmtIso8601Time; "%d/%b/%Y"; 1 |
This key can be used to print specific information to the smart card. For example, a common use case would be to print when the card is due to expire. This would be applicable for PIV smart cards. 4 values need to be provided here separated by ‘;’ character. These values are: VarName: Name of the vSEC:CMS variable for which value the formatting will be configured. Important to note that the variable should not have the ‘$’ ‘{‘ ‘}’ characters. VaTypeSpecifier: Specifies the type of the variable value. This can be inFrmtIso8601Time or inFrmtUnixTime Format: Define how the string should be formatted. This is based on https://msdn.microsoft.com/en-us/library/fe06s4ak.aspx Flags: For uppercase provide a value of 1 and for lowercase provide a value of 2. |
The supported types are defined in the table below:
|
Type |
Description |
|
fixedimage |
This element describes a fixed image, which is part of the layout, for example a company logo. The ValueFile field will contain a reference to the image file. |
|
rtftext |
This element contains RTF text which is used to handle the text formatting. This RTF text can contain variables configured from the Options - Variables page of the vSEC:CMS |
|
image |
This element describes a variable image, which will be read at runtime when rendering the layout. The Value field will contain a vSEC:CMS variable configured from the Options - Variables page. |
|
fixedgdiobject |
This element is used to draw rectangles. The Value field will have to be set to Rectangle. |
|
barcode |
This element is used for printing bar code to the smart card. |
|
profile |
The barcode decoder that is to be used. Currently decoder Code_128 is supported. If a different decoder profile is required please contact Versasec. |
Example
Follow the steps in this section to configure the vSEC:CMS in order to print a layout onto a smart card.
Step 1: Configure Front Background Image
Using a background image of type PNG, enter the following settings into the layout file.
| [Front_IMAGE_BACKGROUND] Type=FixedImage ValueFile=background_image.png Left=0 Top=0 Width=648 Height=1016 Orientation=0.0 |
Step 2: Configure Front ID Photo
Using the PNG image below, enter the following settings into the layout file. The parameter ValueFile would typically be linked to a variable in the vSEC:CMS so to retrieve the picture of the user who the smart card is being issued to and printed. For example, a variable name of ${picture} could already be defined in the vSEC:CMS therefore the value would be ValueFile=${picture}.
| [Front_IMAGE_EMPLOYEE_PICTURE] Type=FixedImage ValueFile=employee_picture.png Left=46 Top=58 Width=342 Height=331 Orientation=0.0 |
Step 3: Configure Front Employee Name and Job Title
Enter the following settings below into the layout file. In this case we use a RTF file to store the name of the employee and the job position title.
| [Front_TEXT_EMPLOYEE_NAME_AND_TITLE] Type=RtfText ValueFile=employee_name_and_title.rtf Left=450 Top=0 Width=390 Height=100 Orientation=270.0 BackgroundColor=0,0,0 Transparent=1 |
Typically, the contents of the RTF would refer to variables defined in the vSEC:CMS that would be used to retrieve the employee name and employee job title from a user directory when issuing and printing a smart card for a user.
Step 4: Configure Back of card
Using the a PNG image, enter the following settings into the layout file:
| [BACK_IMAGE_COMPANY_URL] Type=FixedImage ValueFile=back_of_card.png Left=0 Top=0 Width=648 Height=1016 Orientation=0.0 |
Step 5: Completing the Layout File
It will be necessary to place all of the settings already defined into a layout file. Below is the completed layout file that would then be imported into the vSEC:CMS.
| ; Add comments to layout file using ; character ;Front of card is side with smart card chip facing out ;Back of card is blank white side showing [Front] Field1=Front_IMAGE_BACKGROUND Field2=Front_IMAGE_EMPLOYEE_PICTURE Field3=Front_TEXT_EMPLOYEE_NAME_AND_TITLE [Back] Field1=BACK_IMAGE_COMPANY_URL ;; ;; Design the front of card layout ;; [Front_IMAGE_BACKGROUND] Type=FixedImage ValueFile=background_image.png Left=0 Top=0 Width=648 Height=1016 Orientation=0.0 [Front_IMAGE_EMPLOYEE_PICTURE] Type=FixedImage ValueFile=employee_picture.png Left=46 Top=58 Width=342 Height=331 Orientation=0.0 [Front_TEXT_EMPLOYEE_NAME_AND_TITLE] Type=RtfText ValueFile=employee_name_and_title.rtf Left=450 Top=0 Width=390 Height=100 Orientation=270.0 BackgroundColor=0,0,0 Transparent=1 ;;; ;;; Design the back of card layout ;;; [BACK_IMAGE_COMPANY_URL] Type=FixedImage ValueFile=back_of_card.png Left=0 Top=0 Width=648 Height=1016 Orientation=0.0 |
Bar Code Printing
It is possible to configure the vSEC:CMS to print bar codes on a smart card during the issuance process. In order to be able to perform bar code printing a section needs to be added to the smart card layout file. The section needs to be of type barcode.
Additionally, a profile parameter needs to be added. Currently decoder Code_128 is supported. If a different decoder profile is required please contact Versasec. For example, if a barcode is to be printed on the card a section similar to below would be set in the layout file:
| [BARCODE] Type=barcode Profile=Code_128 Value=1234567 Left=275 Top=20 Width=300 Height=70 Orientation=0.0 Transparent=1 |
Step 7 - Configure Card Template
1. Navigate to Options - Smart Cards page. When the page is loaded attach the smart card token that is to be issued with the vSEC:CMS. The vSEC:CMS will filter the card type and present the smart card template available in the vSEC:CMS.
2. Select the entry and click Edit. ForSmart Card Access ensure that Use minidriver if possible is selected and click Save.
3. From Templates - Card Templates click the Add button.
4. Click the Edit link for General.
5. Enter a template name and attach the smart card token that is to be issued and click the Detect button to allow the vSEC:CMS to detect the smart card token type that is to be used for this card template. Click Ok to close the dialog.
6. Allow all other default settings in the General dialog and click Ok to save the settings and close this dialog.
7. Click the Edit link for Issue Card.
8. From User ID Options section enable Assign User ID and select the AD connection already configured.
9. From Enroll Certificate Options section enable Enroll certificate(s) and click the Add button. Select the CA connection already configured from the Certificate Authority drop-down list and select the smart card logon certificate template as configured on your CA from the Certificate template list and click Ok to save and close the dialog.
10. In the Printing Options section enable Print smart card and select the card layout design configured earlier from the drop-down list.
11. Allow all other defaults for the Issue Card dialog and click Ok to save and close.
12. Click Ok to save and close the card template configuration.
It is important that the Windows smart card logon certificate template on the CA is configured to require an authorized signature. From the Issuance Requirements tab for the certificate template properties on the CA make sure to enable This number of authorized signatures and set a value of 1 and for Application policy drop-down list select the Certificate Request Agent option.
Step 8 - Issue Smart Card Token
1. From the Lifecycle page click the Insert button if there is no smart card inserted into the card printer.
2. Click the Issued oval and select the card template that is to be used.
3. Click the Batch button to start the issuance flow. You will be prompted to select the batch file configured in Step 5 which will contain the users DN's that the smart cards will be issued to. Enable the Select manually radio button to select the input file during the issuance process or select theTake from input file radio button and click the Browse button to select the input file.
Alternatively select Take from pending batch if it is required to use an input file that is in a pending state. An input file would be in a pending state if it was an input file that was used previously but for whatever reason it did not get processed correctly.
Enable the Run until card feeder is empty which will mean that the batch job will run until the card input feeder is empty. If you enable this option you can also specify the maximum number of card to be issued in the Maximum cards to process field.
Enable the Preview before start option which will result in a preview process being conducted first to ensure that all the required data that is to be printed on the card is available. For example, you may be using a vSEC:CMSvariable to map to an AD attribute that will print the employees ID on the card. It may be that this attribute is not populated for a user and this would not become obvious until the card is actually printed. Using this mechanism, you can ensure that all the data is available before physically printing the cards.
4. Click the Start button to proceed. If the preview option was configured the vSEC:CMSwill gather all details that are to be printed onto the smart card and present this in a preview dialog. Select a user and the preview dialog will display a card preview. This will validate that the details that are to be printed on the smart card are available and valid. If a card preview is missing information that should be printed onto the card or there is an error the Result row will indicate an error. Uncheck the tick box if it is required to not issue and print a card for the user in the case that there is missing information or an error for the user card.
5. Once all the preview entries have been validated click the Continue to begin the actual issuance and printing of the cards. Depending on how many cards that is to be batch issued the process can take some time to complete all of the processing.
6. During the issuance, the vSEC:CMS will provide status information indicating where the workflow is in relation to the batch job. When the batch issuance completes a status dialog will appear. Click Ok from this dialog so see additional information about the issued cards. Select a record and click the Result button to view additional information about the operations performed on the issued smart card.
7. Click Close to complete.
Setup Using Datacard SR300 Card Printer
In this section, we will describe how to setup and configure a Datacard SR300 (SR300) smart card printer to be used in conjunction with the vSEC:CMS where the SR300 smart card printer will be physically connected to the vSEC:CMS operator console workstation via the USB connection for the SR300 smart card printer. The USB connection in this case will be used to connect the smart card printers built in smart card readers to the operator's workstation. This should be viewed the same as if a USB smart card reader was connected to the operator's workstation. In this example, we will also show how the printer can be used to batch issue smart cards from the card feeder of the printer.
The PKI used in this example use case will be an MS CA.
The smart card type that will be managed in this use case will be a generic mini-driver smart card token.
The smart card printer can be setup on a network where the smart card reader is configured as a network smart card reader. In this type of configuration, the communication is unencrypted. Therefore, if deciding on using such a setup please be aware that the data sent to the smart card that is to be issued will be sent over the network unencrypted. Versasec does not recommend such a configuration but if your network is considered secure then you may wish to setup the printer in such a configuration. Therefore, we will only describe how the vSEC:CMS can be setup to use the smart card printer when the smart card reader(s) are connected to the operator's workstation using the printer USB cable.
Step 1 - Install SR300 Printer Drivers
On the vSEC:CMS operator console host where the SR300 printer is to be connected to it is necessary to install the SR300 printer drivers. Using the SR300 printer drivers as provided by your printer provider start the installation wizard.
The SR300 printer should not be connected to the host when performing this step.
Step 2 - Configure Card Printer vSEC:CMS
1. Log onto the vSEC:CMS and from Options - Connections click the Configure button.
2. Select Smart Card Printer and add to the Selected pane and click Ok.
3. Click the Smart Card Printer to open up the configuration dialog.
4. From the Printer name drop-down list select the printer.
5. Click the Details button to view additional details on the printer.
6. Enable the Print front side only check box if is required to only print on the front of the smart card. It will be necessary to click the Detect button to allow the vSEC:CMS to automatically detect the reader. On clicking the Detect button you will be prompted to detach the USB reader cable for the printer from your host. Once the USB cable is detached you will then be asked to reattach the cable thereby allowing the vSEC:CMS to detect the reader.
7. Click Ok to save and close.
Step 3 - Create Smart Card Batch Issuance File
For the smart cards that you wish to batch issue you will need to create a batch file containing the DN's of the user. See Step 1 of the article Perform Batch Issuance for details on how to create a batch input file.
Step 4 - Create Smart Card Design Layout
See Step 6 - Create Smart Card Design Layout section above for details on this.
Step 5 - Configure Card Template
1. Navigate to Options - Smart Cards page. When the page is loaded attach the smart card token that is to be issued with the vSEC:CMS. The vSEC:CMS will filter the card type and present the smart card template available in the vSEC:CMS.
2. Select the entry and click Edit. ForSmart Card Access ensure that Use minidriver if possible is selected and click Save.
3. From Templates - Card Templates click the Add button.
4. Click the Edit link for General.
5. Enter a template name and attach the smart card token that is to be issued and click the Detect button to allow the vSEC:CMS to detect the smart card token type that is to be used for this card template. Click Ok to close the dialog.
6. Allow all other default settings in the General dialog and click Ok to save the settings and close this dialog.
7. Click the Edit link for Issue Card.
8. From User ID Options section enable Assign User ID and select the AD connection already configured.
9. From Enroll Certificate Options section enable Enroll certificate(s) and click the Add button. Select the CA connection already configured from the Certificate Authority drop-down list and select the smart card logon certificate template as configured on your CA from the Certificate template list and click Ok to save and close the dialog.
10. In the Printing Options section enable Print smart card and select the card layout design configured earlier from the drop-down list.
11. Allow all other defaults for the Issue Card dialog and click Ok to save and close.
12. Click Ok to save and close the card template configuration.
It is important that the Windows smart card logon certificate template on the CA is configured to require an authorized signature. From the Issuance Requirements tab for the certificate template properties on the CA make sure to enable This number of authorized signatures and set a value of 1 and for Application policy drop-down list select the Certificate Request Agent option.
Step 6 - Issue Smart Card Token
1. From the Lifecycle page click the Insert button if there is no smart card inserted into the card printer.
2. Click the Issued oval and select the card template that is to be used.
3. Click the Batch button to start the issuance flow. You will be prompted to select the batch file configured in Step 5 which will contain the users DN's that the smart cards will be issued to. Enable the Select manually radio button to select the input file during the issuance process or select theTake from input file radio button and click the Browse button to select the input file.
Alternatively select Take from pending batch if it is required to use an input file that is in a pending state. An input file would be in a pending state if it was an input file that was used previously but for whatever reason it did not get processed correctly.
Enable the Run until card feeder is empty which will mean that the batch job will run until the card input feeder is empty. If you enable this option you can also specify the maximum number of card to be issued in the Maximum cards to process field.
Enable the Preview before start option which will result in a preview process being conducted first to ensure that all the required data that is to be printed on the card is available. For example, you may be using a vSEC:CMSvariable to map to an AD attribute that will print the employees ID on the card. It may be that this attribute is not populated for a user and this would not become obvious until the card is actually printed. Using this mechanism, you can ensure that all the data is available before physically printing the cards.
4. Click the Start button to proceed. If the preview option was configured the vSEC:CMSwill gather all details that are to be printed onto the smart card and present this in a preview dialog. Select a user and the preview dialog will display a card preview. This will validate that the details that are to be printed on the smart card are available and valid. If a card preview is missing information that should be printed onto the card or there is an error the Result row will indicate an error. Uncheck the tick box if it is required to not issue and print a card for the user in the case that there is missing information or an error for the user card.
5. Once all the preview entries have been validated click the Continue to begin the actual issuance and printing of the cards. Depending on how many cards that is to be batch issued the process can take some time to complete all of the processing.
6. During the issuance, the vSEC:CMS will provide status information indicating where the workflow is in relation to the batch job. When the batch issuance completes a status dialog will appear. Click Ok from this dialog so see additional information about the issued cards. Select a record and click the Result button to view additional information about the operations performed on the issued smart card.
7. Click Close to complete.
Comments
0 comments
Please sign in to leave a comment.