Introduction
vSEC:CMS logs all operations performed when managing credentials. This article will describe some of the more common transactions logged which can be useful when performing audits and troubleshooting issues in relation to a credential.
Understanding Credential Logs
The best way to understand and see the history for the lifecycle operations performed on a managed credential is to select a credential from Repository - Smart Cards. Once selected then you should click the Trans. Log(s) button. This will open the entire transaction log history for the selected credential.
Entries will be written from most recent action performed top to bottom, with the oldest performed operation being at the bottom. The actions performed will be timestamped with an internal ID for the record entry and Trans Log ID for the actual record ID in the transaction log table.
The Operator column will show which operator performed the action. There maybe empty entries in this column since some actions are internally performed by the system which are therefore empty entries in this case.
The Comment column will provide short information on what was performed. This information is relatively self-explanatory. However, when you see the entry where it refers to Admin authorization requested, which has different meanings. This is when an administration operation was performed on the credential. The values (in the Data column) can be:
- 0: This is when an internal administration operation needs to be performed on a managed credential;
- 1: This is when a PIN unblock administration operation is performed by an operator on a managed credential;
- 2: This is when a managed credential is updated by an operator;
- 3: This is when an end user performs an online PIN unblock via the vSEC:CMS User application;
- 4: This is when a managed credential is updated by an end user via vSEC:CMS User application.
The Data column provides more details on what was performed inside the actual action.
The CSN column contains the serial number of the credential that the operation was performed on.
Below we provide sample transaction logs for some of the more common operations performed when managing credentials within vSEC:CMS.
Central Issuance
Below is a typical sample of transaction logs captured when an operator performs a credential issuance from the Admin or Agent application. In this flow a credential is issued with one certificate, a PIN policy is applied and at the end of the flow the credential PIN is in a blocked state. This is what is referred to as an Issued credential.
Central Activation
Below is a typical sample of transaction logs captured when an operator performs a credential activation from the Admin or Agent application, i.e. the credential is put into an Active state. In this flow the person who the credential is issued to is present with the operator and will perform setting a PIN on the credential. Once the operation is complete the credential will be Initiated.
Central PIN Unblock
Below is a typical sample of transaction logs captured when an operator performs a credential PIN unblock from the Admin or Agent application. In this flow the person who the credential is issued to is present with the operator and will perform unblocking the PIN on the credential.
Central Certificate Reissuance
Below is a typical sample of transaction logs captured when an operator performs a certificate reissuance from the Admin or Agent application. In this flow the person who the credential is issued to is normally present with the operator.
Central Credential Retire
Below is a typical sample of transaction logs captured when an operator performs a retire of a credential from the Admin or Agent application.
Credential Delete
Below is a typical sample of transaction logs captured when an operator deletes a credential from the Admin or Agent application.
Credential Issuance from vSEC:CMS User
Below is a typical sample of transaction logs captured when an end user performs a credential issuance from the vSEC:CMS User application. In this flow a credential is issued with one certificate, a PIN policy is applied and at the end of the flow the end user sets a PIN.
Online PIN Unblock
Below is a typical sample of transaction logs captured when an end user performs an online PIN reset from the vSEC:CMS User application.
Offline PIN Unblock
Below is a typical sample of transaction logs captured when an end user performs an offline PIN reset (commonly referred to as challenge/response) from the vSEC:CMS User application.
Self-Service Certificate Reissuance
Below is a typical sample of transaction logs captured when an end user performs a certificate reissuance from the vSEC:CMS User application.
Credential Update
Below is a typical sample of transaction logs captured when a user is moved to a different credential template which triggers a credential update. The credential update in this case is performed through the vSEC:CMS User application.