It is possible to manage the lifecycle of PIV and FIDO2 applications that are available on Yubikey tokens from vSEC:CMS. Yubikey tokens include other applications too that you may wish to manage in order to better control what is available to your end users when deploying such tokens.
From version 184.108.40.206 of vSEC:CMS it is possible to enable/disable if these applications are to be available for use when issued from vSEC:CMS. This article will describe how you can configure vSEC:CMS to manage such use cases.
The YubiKey tokens must support the functionality of changing the interface configuration and setting lock codes.
Configuration Use Case
There are 2 use cases that need to be described when looking to use this feature in vSEC:CMS.
- Option 1: How to configure when setting up to manage Yubikey tokens for first time;
- Option 2: How to configure when you already have Yubikey tokens deployed and you now want to enable/disable applications available on token.
In this section we will describe how to configure vSEC:CMS when setting up a use case to manage Yubikey tokens for first time. For the purpose of this article lets say you wish to enable only PIV application through the USB interface when a token is issued centrally using vSEC:CMS.
You should follow the instructions as described in the article Manage Yubikey PIV Credential. In this article we will only describe what additional steps you need to perform to configure what applications you wish to have available on the token.
From the Issue Card section of your template you should see in the General Card Properties section an Interfaces button.
From the Interfaces dialog a number of options are available.
Enable Configure interface(s) to configure which applications you want available when the token is issued. In this example we only want PIV application available through the USB interface.
In the General section enable the Lock the configuration option if you want to ensure that the end user cannot enable those applications already disabled using the Yubikey manager application. Click the Generate button to randomly set a static lock code that will then be used when issuing any token with the template. If you later want to allow/enable an application on the token using the Yubikey manager the end user will be prompted to enter the lock code. The lock code could then be provided by an operator/helpdesk person to allow this.
Enable the Use diversified codes option which will set a different code for each token when issued. This is recommended to be enabled when using this feature.
Currently it is not possible to extract the diversified lock codes for the tokens from vSEC:CMS.
Save the settings and then issue the tokens centrally or via self-service.
You can cross check that the applications have been disabled using the Yubikey manager application. If subsequently you wanted to add say the FIDO2 application for USB interface you can enable this and the user will be prompted to enter the lock code as in example below.
The lock code would need to be retrieved from the template configuration described above.
In this section we will describe when you already have Yubikey tokens issued and deployed using vSEC:CMS and you now want to disable applications on tokens.
In this case you will need to create a new template from Templates - Card Templates. You should follow the instructions as described in Option 1.
Then you need to migrate the currently issued tokens to the new template. Follow the instructions in the article Migrate Credential Template for details on this.